On 12/22/15 14:56, Stuart Henderson wrote: > Could some libressl people look at this please? We have a problem where > the chain coming from a server roots from a certificate that isn't in > the root store, but an intermediary certificate *is* in the root store. > Thanks.
I also just hit this bug when setting up a connection to the test-environment of SIDN: $ openssl s_client -connect testdrs.domain-registry.nl:700 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=NL/ST=Gelderland/L=Arnhem/O=Stichting Internet Domeinregistratie Nederland/OU=ICT/CN=testdrs.domain-registry.nl i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Has anyone looked into this yet? martijn@
