Hi Jakob & openssl-er, > Just to be sure (sometimes OpenSSL checks its default -CApath even > if you specify a -CAfile) try this command on the development machine:
> openssl x509 -subject -noout -in cacert.pem > Compare to the deepest value from the screenshot above. I get the log from the embedded linux device and my PC. Sorry, I don't get the deference in the platform, but there is some deference between the platform and PC. Is this help? ------------------------------from embedded platform NG log-------------- /tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA /tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem CONNECTED(00000003) depth=0 CN = anja.haxx.se /////////////////////////////////always depth=0//////////////////////////////////////// verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- ---- -----END CERTIFICATE----- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3143 bytes and written 302 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: AB3322B63747715342DB68B4D18C27F98CF84D4A0E2711719E8B96FA5DA5C1FD Session-ID-ctx: Master-Key: 240CC5C33C7185E49C74076133DF385AB0282A3C68D6D6DC3CB74D0DB845E4242F61DA09A28B544CB5B1D39FA839E6AD PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: ..... Start Time: 39804 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- closed /tmp # ------------------------------from PC ok log-------------------------------------- georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ openssl x509 -subject -noout -in cacert-2016-11-02.pem subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 //////////////////////////////////////depth 0,1,2///////////////////////////////// verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = anja.haxx.se verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- ---- -----END CERTIFICATE----- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 3148 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 5640820B2C49B9B2E68563DFDFC7303BE01DE69E7EB4C6C833B4F7872CD173E5 Session-ID-ctx: Master-Key: 48783D2D0E03CE5EACB7AF2577E0E2AFE4F056B191BFB2641D08E602C54BF651B9C195DCFBD2AECC2092B035848B005B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: --- Start Time: 1481718602 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed georgeyang@georgeyang-virtual-machine :/mnt/hgfs/share/task/danale_task/3516a$ -------------------------------------------------------------------------------------------------------- thank you for your help. Thanks a lot.
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users