This seems to me to be very easy to validate by just inserting a self-signed certificate at the front of a CAfile that works. Attached are the 3 certificate files. _CAcerts.good is the first file with two certs the second of which is the CA cert for the server. _CAcerts.bad has the self-signed cert inserted between the two original CA certs. _CAcerts.bad.fixed has the self-signed cert last, after the valid CAcert for the server. Test 1 -------- C:\Users\junswort>openssl s_client -connect WIN-VO1BBDJPNIT.win2k12.marshhouse:6 36 -showcerts -CAfile c:\certs\_CAcerts.good WARNING: can't open config file: static/static/ssl/openssl.cnf CONNECTED(00000158) depth=1 DC = marshhouse, DC = win2k12, CN = win2k12-WIN-VO1BBDJPNIT-CA verify return:1 depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse verify return:1 --- Certificate chain 0 s:/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse i:/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA -----BEGIN CERTIFICATE----- MIIGRDCCBSygAwIBAgITJwAAAAQdtc/gsC8FGAAAAAAABDANBgkqhkiG9w0BAQ0F ADBaMRowGAYKCZImiZPyLGQBGRYKbWFyc2hob3VzZTEXMBUGCgmSJomT8ixkARkW B3dpbjJrMTIxIzAhBgNVBAMTGndpbjJrMTItV0lOLVZPMUJCREpQTklULUNBMB4X DTE2MDgyNDE1MjczM1oXDTE3MDgyNDE1MjczM1owLTErMCkGA1UEAxMiV0lOLVZP MUJCREpQTklULndpbjJrMTIubWFyc2hob3VzZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANGrtW9LP8NV8Bv828I7jR7zHcQeGiW88NnYMalcBD9RGeR0 IPlnmudxxGTKQ7ltTXG+1dKxY9+X3e9F+okovs1Yb0Zfl9trAi1JffvvVZoSZioK HNH5j8EbDGYqw9hdnmp9FT942qBiLz5vNNN8Td9ONJ4AO2jn9mVuj3Ay6m3G+n4h cHxV4ocKL+1r1FfrHmbsvoYAo/wC0i+T+0peqOJ0hN2Eh5v09pNhGAeb6SMDR9DF xJVmENyu1+a1Q851FAZhOYPICFmtZEiXUAKnCTXswuKcuekXOJ6xA1bcVAXo4V0L SRzulW42IuhVG9cTv5fgQE8xJr9UhU3QCxtJbYkCAwEAAaOCAy4wggMqMC8GCSsG AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw BwYFKw4DAgcwCgYIKoZIhvcNAwcwTgYDVR0RBEcwRaAfBgkrBgEEAYI3GQGgEgQQ ibBbg2xk+kWByfTmlhHwqIIiV0lOLVZPMUJCREpQTklULndpbjJrMTIubWFyc2ho b3VzZTAdBgNVHQ4EFgQUSCFbjzQV9034463X2wih64kj+5QwHwYDVR0jBBgwFoAU rOn/0VeHz/Z6UbAIz6NjTLSCAi4wgecGA1UdHwSB3zCB3DCB2aCB1qCB04aB0Gxk YXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049V0lOLVZPMUJC REpQTklULENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2 aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXdpbjJrMTIsREM9bWFyc2hob3VzZT9j ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnQwgdMGCCsGAQUFBwEBBIHGMIHDMIHABggrBgEFBQcwAoaB s2xkYXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049QUlBLENO PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy YXRpb24sREM9d2luMmsxMixEQz1tYXJzaGhvdXNlP2NBQ2VydGlmaWNhdGU/YmFz ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEB DQUAA4IBAQB6BRo5lsw19dEii2GGE/4bisSDPYKcDxOKv5Nao3jtt3KGDs19ZFk3 hIQcScKo4+TFDDGsoQExk0NpGc3nRryL5HqK3jUIWhzz9SI+Fa/NMuHYdTqtuiAF fUvnmwFH/d6fIEnCKVLKoOw2ZbFO92Fl+uT8QJchfpwlMWLwWi1edHP+vhSx8v8O HG9ycnhDw4VPH7rlaSEHe3Or7Twh9F/CHpDOTPMOnqHRprUAOzjQnAlmjHsNDp/8 +smY8Z2NyhSFXnI2hXe4HOLrpEwwjD1DhdW5XQ3JW8smSJRgbQspIcmf9XNi4fAO JvJ946dYI/JOydAV4yXvqJnNot/b+ozU -----END CERTIFICATE----- --- Server certificate subject=/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse issuer=/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS A+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH A384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 2210 bytes and written 533 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: E0160000CE718976B41B64700D5D6EA14414691D9F22928F1B360218A35B0E85 Session-ID-ctx: Master-Key: F0A0E15DEEE0B675A8A84C6C9E827313BCCF37AB5F65F3EA8B08E92E25D367DD 8839E878903ADC3183E5F8C1D73F5A4B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1473184726 Timeout : 300 (sec) Verify return code: 0 (ok) Test 2 -------- C:\Users\junswort>openssl s_client -connect WIN-VO1BBDJPNIT.win2k12.marshhouse:6 36 -showcerts -CAfile c:\certs\_CAcerts.bad WARNING: can't open config file: static/static/ssl/openssl.cnf CONNECTED(00000158) depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse i:/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA -----BEGIN CERTIFICATE----- MIIGRDCCBSygAwIBAgITJwAAAAQdtc/gsC8FGAAAAAAABDANBgkqhkiG9w0BAQ0F ADBaMRowGAYKCZImiZPyLGQBGRYKbWFyc2hob3VzZTEXMBUGCgmSJomT8ixkARkW B3dpbjJrMTIxIzAhBgNVBAMTGndpbjJrMTItV0lOLVZPMUJCREpQTklULUNBMB4X DTE2MDgyNDE1MjczM1oXDTE3MDgyNDE1MjczM1owLTErMCkGA1UEAxMiV0lOLVZP MUJCREpQTklULndpbjJrMTIubWFyc2hob3VzZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANGrtW9LP8NV8Bv828I7jR7zHcQeGiW88NnYMalcBD9RGeR0 IPlnmudxxGTKQ7ltTXG+1dKxY9+X3e9F+okovs1Yb0Zfl9trAi1JffvvVZoSZioK HNH5j8EbDGYqw9hdnmp9FT942qBiLz5vNNN8Td9ONJ4AO2jn9mVuj3Ay6m3G+n4h cHxV4ocKL+1r1FfrHmbsvoYAo/wC0i+T+0peqOJ0hN2Eh5v09pNhGAeb6SMDR9DF xJVmENyu1+a1Q851FAZhOYPICFmtZEiXUAKnCTXswuKcuekXOJ6xA1bcVAXo4V0L SRzulW42IuhVG9cTv5fgQE8xJr9UhU3QCxtJbYkCAwEAAaOCAy4wggMqMC8GCSsG AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw BwYFKw4DAgcwCgYIKoZIhvcNAwcwTgYDVR0RBEcwRaAfBgkrBgEEAYI3GQGgEgQQ ibBbg2xk+kWByfTmlhHwqIIiV0lOLVZPMUJCREpQTklULndpbjJrMTIubWFyc2ho b3VzZTAdBgNVHQ4EFgQUSCFbjzQV9034463X2wih64kj+5QwHwYDVR0jBBgwFoAU rOn/0VeHz/Z6UbAIz6NjTLSCAi4wgecGA1UdHwSB3zCB3DCB2aCB1qCB04aB0Gxk YXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049V0lOLVZPMUJC REpQTklULENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2 aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXdpbjJrMTIsREM9bWFyc2hob3VzZT9j ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnQwgdMGCCsGAQUFBwEBBIHGMIHDMIHABggrBgEFBQcwAoaB s2xkYXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049QUlBLENO PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy YXRpb24sREM9d2luMmsxMixEQz1tYXJzaGhvdXNlP2NBQ2VydGlmaWNhdGU/YmFz ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEB DQUAA4IBAQB6BRo5lsw19dEii2GGE/4bisSDPYKcDxOKv5Nao3jtt3KGDs19ZFk3 hIQcScKo4+TFDDGsoQExk0NpGc3nRryL5HqK3jUIWhzz9SI+Fa/NMuHYdTqtuiAF fUvnmwFH/d6fIEnCKVLKoOw2ZbFO92Fl+uT8QJchfpwlMWLwWi1edHP+vhSx8v8O HG9ycnhDw4VPH7rlaSEHe3Or7Twh9F/CHpDOTPMOnqHRprUAOzjQnAlmjHsNDp/8 +smY8Z2NyhSFXnI2hXe4HOLrpEwwjD1DhdW5XQ3JW8smSJRgbQspIcmf9XNi4fAO JvJ946dYI/JOydAV4yXvqJnNot/b+ozU -----END CERTIFICATE----- --- Server certificate subject=/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse issuer=/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS A+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH A384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 2210 bytes and written 533 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: D51D0000964C48960FBDB92D73989E9FED3BE5142A228C97055AF84A5A84F027 Session-ID-ctx: Master-Key: FBDAD623108F8AA5B342B62388C298716FC72620403BBC77D8D7C6A82EADAF02 77FC233C88D9D6B1E352E97A97B599A4 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1473184857 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) Test 3 -------- C:\Users\junswort>openssl s_client -connect WIN-VO1BBDJPNIT.win2k12.marshhouse:6 36 -showcerts -CAfile c:\certs\_CAcerts.bad.fixed WARNING: can't open config file: static/static/ssl/openssl.cnf CONNECTED(00000158) depth=1 DC = marshhouse, DC = win2k12, CN = win2k12-WIN-VO1BBDJPNIT-CA verify return:1 depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse verify return:1 --- Certificate chain 0 s:/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse i:/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA -----BEGIN CERTIFICATE----- MIIGRDCCBSygAwIBAgITJwAAAAQdtc/gsC8FGAAAAAAABDANBgkqhkiG9w0BAQ0F ADBaMRowGAYKCZImiZPyLGQBGRYKbWFyc2hob3VzZTEXMBUGCgmSJomT8ixkARkW B3dpbjJrMTIxIzAhBgNVBAMTGndpbjJrMTItV0lOLVZPMUJCREpQTklULUNBMB4X DTE2MDgyNDE1MjczM1oXDTE3MDgyNDE1MjczM1owLTErMCkGA1UEAxMiV0lOLVZP MUJCREpQTklULndpbjJrMTIubWFyc2hob3VzZTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANGrtW9LP8NV8Bv828I7jR7zHcQeGiW88NnYMalcBD9RGeR0 IPlnmudxxGTKQ7ltTXG+1dKxY9+X3e9F+okovs1Yb0Zfl9trAi1JffvvVZoSZioK HNH5j8EbDGYqw9hdnmp9FT942qBiLz5vNNN8Td9ONJ4AO2jn9mVuj3Ay6m3G+n4h cHxV4ocKL+1r1FfrHmbsvoYAo/wC0i+T+0peqOJ0hN2Eh5v09pNhGAeb6SMDR9DF xJVmENyu1+a1Q851FAZhOYPICFmtZEiXUAKnCTXswuKcuekXOJ6xA1bcVAXo4V0L SRzulW42IuhVG9cTv5fgQE8xJr9UhU3QCxtJbYkCAwEAAaOCAy4wggMqMC8GCSsG AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw BwYFKw4DAgcwCgYIKoZIhvcNAwcwTgYDVR0RBEcwRaAfBgkrBgEEAYI3GQGgEgQQ ibBbg2xk+kWByfTmlhHwqIIiV0lOLVZPMUJCREpQTklULndpbjJrMTIubWFyc2ho b3VzZTAdBgNVHQ4EFgQUSCFbjzQV9034463X2wih64kj+5QwHwYDVR0jBBgwFoAU rOn/0VeHz/Z6UbAIz6NjTLSCAi4wgecGA1UdHwSB3zCB3DCB2aCB1qCB04aB0Gxk YXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049V0lOLVZPMUJC REpQTklULENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2 aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXdpbjJrMTIsREM9bWFyc2hob3VzZT9j ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnQwgdMGCCsGAQUFBwEBBIHGMIHDMIHABggrBgEFBQcwAoaB s2xkYXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049QUlBLENO PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy YXRpb24sREM9d2luMmsxMixEQz1tYXJzaGhvdXNlP2NBQ2VydGlmaWNhdGU/YmFz ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEB DQUAA4IBAQB6BRo5lsw19dEii2GGE/4bisSDPYKcDxOKv5Nao3jtt3KGDs19ZFk3 hIQcScKo4+TFDDGsoQExk0NpGc3nRryL5HqK3jUIWhzz9SI+Fa/NMuHYdTqtuiAF fUvnmwFH/d6fIEnCKVLKoOw2ZbFO92Fl+uT8QJchfpwlMWLwWi1edHP+vhSx8v8O HG9ycnhDw4VPH7rlaSEHe3Or7Twh9F/CHpDOTPMOnqHRprUAOzjQnAlmjHsNDp/8 +smY8Z2NyhSFXnI2hXe4HOLrpEwwjD1DhdW5XQ3JW8smSJRgbQspIcmf9XNi4fAO JvJ946dYI/JOydAV4yXvqJnNot/b+ozU -----END CERTIFICATE----- --- Server certificate subject=/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse issuer=/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS A+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH A384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 2210 bytes and written 533 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 640700008BAE822317D1CCBE249A1DFDE7D40963500ABC96EFD973972C689062 Session-ID-ctx: Master-Key: 94B722012AAAD6270AF2304805C6D3C415B8C94E906A1B73ABDBF04CE850E710 D672A81CBB72AC2B17071B5B6F8BDD82 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1473185012 Timeout : 300 (sec) Verify return code: 0 (ok) -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni Sent: 06 September 2016 18:47 To: openssl-users at openssl.org Subject: Re: A self-signed CA certificate in the CA file *sometimes* stops verification working > On Sep 6, 2016, at 11:53 AM, John Unsworth <John.Unsworth at synchronoss.com> wrote: > > I have noticed the following behaviour: > > 1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B). > 2 Whichever way the CA certificates are ordered the connect works OK. > 3 Add a self-signed CA certificate in the file before the one for server A. The connect fails ?Verify return code: 21 (unable to verify the first certificate)?. > 4 Move the self-signed CA certificate after the one for server A. The connect works OK. > > Why should the self-signed certificate affect the connection when the required CA certificate is in the certificate file? Is this a bug? You've provided much too little detail for a meaningful answer. Post the server chain being validated as reported by $ openssl s_client -showcerts -connect <server>:443 > chain.pem $ openssl crl2pkcs7 -nocrl -certfile chain.pem | openssl pkcs7 -print_certs and all three CA certificates. Do not post any of the private keys. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- A non-text attachment was scrubbed... Name: _CAcerts.bad.fixed Type: application/octet-stream Size: 4522 bytes Desc: _CAcerts.bad.fixed URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/5b3e12e1/attachment-0003.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: _CAcerts.good Type: application/octet-stream Size: 2572 bytes Desc: _CAcerts.good URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/5b3e12e1/attachment-0004.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: _CAcerts.bad Type: application/octet-stream Size: 4445 bytes Desc: _CAcerts.bad URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/5b3e12e1/attachment-0005.obj>