What kind (and size) of keys are in your certificates? That sounds like the most likely issue. On 19/05/2016 17:26, Jan Just Keijser wrote: > Hi all, > > no one has seen this as well? I've seen other mails fly by on > openssl-users after I posted this, yet no response to my query, nor to > a previous mail I sent (about pkcs7). Should I file bug reports instead? > > > Jan Just Keijser wrote: >> hi all, >> >> I've just run into something weird with openssl 1.0.1 and >> s_client+s_server: >> >> - I've downloaded and compiled a static version of openssl 1.0.1t on >> Linux >> - I've set up a PKI with a ca.crt file and a server.crt/server.key >> keypair >> - next , I run >> >> ~/src/openssl-1.0.1t/apps/openssl s_server -CAfile ca.crt -cert >> server.crt -key server.key -dhparam dh2048.pem >> >> - then, with s_client >> >> ~/src/openssl-1.0.1t/apps/openssl s_client -CAfile ca.crt -connect >> 127.0.0.1:4433 >> >> and I always end up with >> >> Verify return code: 21 (unable to verify the first certificate) >> >> If I either change s_server *or* s_client to use openssl 0.9.8 then >> the above commands work! >> >> What am I missing here? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
