A self-signed CA certificate in the CA files *sometimes* stops verification working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This seems to me to be very easy to validate by just inserting a self-signed certificate at the front of a CAfile that works.

Attached are the 3 certificate files.

_CAcerts.good is the first file with two certs the second of which is the CA cert for the server.
_CAcerts.bad has the self-signed cert inserted between the two original CA certs.
_CAcerts.bad.fixed has the self-signed cert last, after the valid CAcert for the server.

Test 1
--------

C:\Users\junswort>openssl s_client -connect WIN-VO1BBDJPNIT.win2k12.marshhouse:6
36 -showcerts -CAfile c:\certs\_CAcerts.good
WARNING: can't open config file: static/static/ssl/openssl.cnf
CONNECTED(00000158)
depth=1 DC = marshhouse, DC = win2k12, CN = win2k12-WIN-VO1BBDJPNIT-CA
verify return:1
depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse
verify return:1
---
Certificate chain
 0 s:/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse
   i:/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA
-----BEGIN CERTIFICATE-----
MIIGRDCCBSygAwIBAgITJwAAAAQdtc/gsC8FGAAAAAAABDANBgkqhkiG9w0BAQ0F
ADBaMRowGAYKCZImiZPyLGQBGRYKbWFyc2hob3VzZTEXMBUGCgmSJomT8ixkARkW
B3dpbjJrMTIxIzAhBgNVBAMTGndpbjJrMTItV0lOLVZPMUJCREpQTklULUNBMB4X
DTE2MDgyNDE1MjczM1oXDTE3MDgyNDE1MjczM1owLTErMCkGA1UEAxMiV0lOLVZP
MUJCREpQTklULndpbjJrMTIubWFyc2hob3VzZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANGrtW9LP8NV8Bv828I7jR7zHcQeGiW88NnYMalcBD9RGeR0
IPlnmudxxGTKQ7ltTXG+1dKxY9+X3e9F+okovs1Yb0Zfl9trAi1JffvvVZoSZioK
HNH5j8EbDGYqw9hdnmp9FT942qBiLz5vNNN8Td9ONJ4AO2jn9mVuj3Ay6m3G+n4h
cHxV4ocKL+1r1FfrHmbsvoYAo/wC0i+T+0peqOJ0hN2Eh5v09pNhGAeb6SMDR9DF
xJVmENyu1+a1Q851FAZhOYPICFmtZEiXUAKnCTXswuKcuekXOJ6xA1bcVAXo4V0L
SRzulW42IuhVG9cTv5fgQE8xJr9UhU3QCxtJbYkCAwEAAaOCAy4wggMqMC8GCSsG
AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG
SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg
hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwTgYDVR0RBEcwRaAfBgkrBgEEAYI3GQGgEgQQ
ibBbg2xk+kWByfTmlhHwqIIiV0lOLVZPMUJCREpQTklULndpbjJrMTIubWFyc2ho
b3VzZTAdBgNVHQ4EFgQUSCFbjzQV9034463X2wih64kj+5QwHwYDVR0jBBgwFoAU
rOn/0VeHz/Z6UbAIz6NjTLSCAi4wgecGA1UdHwSB3zCB3DCB2aCB1qCB04aB0Gxk
YXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049V0lOLVZPMUJC
REpQTklULENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXdpbjJrMTIsREM9bWFyc2hob3VzZT9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
dHJpYnV0aW9uUG9pbnQwgdMGCCsGAQUFBwEBBIHGMIHDMIHABggrBgEFBQcwAoaB
s2xkYXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049QUlBLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9d2luMmsxMixEQz1tYXJzaGhvdXNlP2NBQ2VydGlmaWNhdGU/YmFz
ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEB
DQUAA4IBAQB6BRo5lsw19dEii2GGE/4bisSDPYKcDxOKv5Nao3jtt3KGDs19ZFk3
hIQcScKo4+TFDDGsoQExk0NpGc3nRryL5HqK3jUIWhzz9SI+Fa/NMuHYdTqtuiAF
fUvnmwFH/d6fIEnCKVLKoOw2ZbFO92Fl+uT8QJchfpwlMWLwWi1edHP+vhSx8v8O
HG9ycnhDw4VPH7rlaSEHe3Or7Twh9F/CHpDOTPMOnqHRprUAOzjQnAlmjHsNDp/8
+smY8Z2NyhSFXnI2hXe4HOLrpEwwjD1DhdW5XQ3JW8smSJRgbQspIcmf9XNi4fAO
JvJ946dYI/JOydAV4yXvqJnNot/b+ozU
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse
issuer=/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS
A+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH
A384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2210 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: E0160000CE718976B41B64700D5D6EA14414691D9F22928F1B360218A35B0E85
    Session-ID-ctx:
    Master-Key: F0A0E15DEEE0B675A8A84C6C9E827313BCCF37AB5F65F3EA8B08E92E25D367DD
8839E878903ADC3183E5F8C1D73F5A4B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473184726
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Test 2
--------

C:\Users\junswort>openssl s_client -connect WIN-VO1BBDJPNIT.win2k12.marshhouse:6
36 -showcerts -CAfile c:\certs\_CAcerts.bad
WARNING: can't open config file: static/static/ssl/openssl.cnf
CONNECTED(00000158)
depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse
   i:/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA
-----BEGIN CERTIFICATE-----
MIIGRDCCBSygAwIBAgITJwAAAAQdtc/gsC8FGAAAAAAABDANBgkqhkiG9w0BAQ0F
ADBaMRowGAYKCZImiZPyLGQBGRYKbWFyc2hob3VzZTEXMBUGCgmSJomT8ixkARkW
B3dpbjJrMTIxIzAhBgNVBAMTGndpbjJrMTItV0lOLVZPMUJCREpQTklULUNBMB4X
DTE2MDgyNDE1MjczM1oXDTE3MDgyNDE1MjczM1owLTErMCkGA1UEAxMiV0lOLVZP
MUJCREpQTklULndpbjJrMTIubWFyc2hob3VzZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANGrtW9LP8NV8Bv828I7jR7zHcQeGiW88NnYMalcBD9RGeR0
IPlnmudxxGTKQ7ltTXG+1dKxY9+X3e9F+okovs1Yb0Zfl9trAi1JffvvVZoSZioK
HNH5j8EbDGYqw9hdnmp9FT942qBiLz5vNNN8Td9ONJ4AO2jn9mVuj3Ay6m3G+n4h
cHxV4ocKL+1r1FfrHmbsvoYAo/wC0i+T+0peqOJ0hN2Eh5v09pNhGAeb6SMDR9DF
xJVmENyu1+a1Q851FAZhOYPICFmtZEiXUAKnCTXswuKcuekXOJ6xA1bcVAXo4V0L
SRzulW42IuhVG9cTv5fgQE8xJr9UhU3QCxtJbYkCAwEAAaOCAy4wggMqMC8GCSsG
AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG
SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg
hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwTgYDVR0RBEcwRaAfBgkrBgEEAYI3GQGgEgQQ
ibBbg2xk+kWByfTmlhHwqIIiV0lOLVZPMUJCREpQTklULndpbjJrMTIubWFyc2ho
b3VzZTAdBgNVHQ4EFgQUSCFbjzQV9034463X2wih64kj+5QwHwYDVR0jBBgwFoAU
rOn/0VeHz/Z6UbAIz6NjTLSCAi4wgecGA1UdHwSB3zCB3DCB2aCB1qCB04aB0Gxk
YXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049V0lOLVZPMUJC
REpQTklULENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXdpbjJrMTIsREM9bWFyc2hob3VzZT9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
dHJpYnV0aW9uUG9pbnQwgdMGCCsGAQUFBwEBBIHGMIHDMIHABggrBgEFBQcwAoaB
s2xkYXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049QUlBLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9d2luMmsxMixEQz1tYXJzaGhvdXNlP2NBQ2VydGlmaWNhdGU/YmFz
ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEB
DQUAA4IBAQB6BRo5lsw19dEii2GGE/4bisSDPYKcDxOKv5Nao3jtt3KGDs19ZFk3
hIQcScKo4+TFDDGsoQExk0NpGc3nRryL5HqK3jUIWhzz9SI+Fa/NMuHYdTqtuiAF
fUvnmwFH/d6fIEnCKVLKoOw2ZbFO92Fl+uT8QJchfpwlMWLwWi1edHP+vhSx8v8O
HG9ycnhDw4VPH7rlaSEHe3Or7Twh9F/CHpDOTPMOnqHRprUAOzjQnAlmjHsNDp/8
+smY8Z2NyhSFXnI2hXe4HOLrpEwwjD1DhdW5XQ3JW8smSJRgbQspIcmf9XNi4fAO
JvJ946dYI/JOydAV4yXvqJnNot/b+ozU
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse
issuer=/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS
A+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH
A384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2210 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: D51D0000964C48960FBDB92D73989E9FED3BE5142A228C97055AF84A5A84F027

    Session-ID-ctx:
    Master-Key: FBDAD623108F8AA5B342B62388C298716FC72620403BBC77D8D7C6A82EADAF02
77FC233C88D9D6B1E352E97A97B599A4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473184857
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

Test 3
--------

C:\Users\junswort>openssl s_client -connect WIN-VO1BBDJPNIT.win2k12.marshhouse:6
36 -showcerts -CAfile c:\certs\_CAcerts.bad.fixed
WARNING: can't open config file: static/static/ssl/openssl.cnf
CONNECTED(00000158)
depth=1 DC = marshhouse, DC = win2k12, CN = win2k12-WIN-VO1BBDJPNIT-CA
verify return:1
depth=0 CN = WIN-VO1BBDJPNIT.win2k12.marshhouse
verify return:1
---
Certificate chain
 0 s:/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse
   i:/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA
-----BEGIN CERTIFICATE-----
MIIGRDCCBSygAwIBAgITJwAAAAQdtc/gsC8FGAAAAAAABDANBgkqhkiG9w0BAQ0F
ADBaMRowGAYKCZImiZPyLGQBGRYKbWFyc2hob3VzZTEXMBUGCgmSJomT8ixkARkW
B3dpbjJrMTIxIzAhBgNVBAMTGndpbjJrMTItV0lOLVZPMUJCREpQTklULUNBMB4X
DTE2MDgyNDE1MjczM1oXDTE3MDgyNDE1MjczM1owLTErMCkGA1UEAxMiV0lOLVZP
MUJCREpQTklULndpbjJrMTIubWFyc2hob3VzZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANGrtW9LP8NV8Bv828I7jR7zHcQeGiW88NnYMalcBD9RGeR0
IPlnmudxxGTKQ7ltTXG+1dKxY9+X3e9F+okovs1Yb0Zfl9trAi1JffvvVZoSZioK
HNH5j8EbDGYqw9hdnmp9FT942qBiLz5vNNN8Td9ONJ4AO2jn9mVuj3Ay6m3G+n4h
cHxV4ocKL+1r1FfrHmbsvoYAo/wC0i+T+0peqOJ0hN2Eh5v09pNhGAeb6SMDR9DF
xJVmENyu1+a1Q851FAZhOYPICFmtZEiXUAKnCTXswuKcuekXOJ6xA1bcVAXo4V0L
SRzulW42IuhVG9cTv5fgQE8xJr9UhU3QCxtJbYkCAwEAAaOCAy4wggMqMC8GCSsG
AQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgGCSqG
SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg
hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwTgYDVR0RBEcwRaAfBgkrBgEEAYI3GQGgEgQQ
ibBbg2xk+kWByfTmlhHwqIIiV0lOLVZPMUJCREpQTklULndpbjJrMTIubWFyc2ho
b3VzZTAdBgNVHQ4EFgQUSCFbjzQV9034463X2wih64kj+5QwHwYDVR0jBBgwFoAU
rOn/0VeHz/Z6UbAIz6NjTLSCAi4wgecGA1UdHwSB3zCB3DCB2aCB1qCB04aB0Gxk
YXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049V0lOLVZPMUJC
REpQTklULENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXdpbjJrMTIsREM9bWFyc2hob3VzZT9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
dHJpYnV0aW9uUG9pbnQwgdMGCCsGAQUFBwEBBIHGMIHDMIHABggrBgEFBQcwAoaB
s2xkYXA6Ly8vQ049d2luMmsxMi1XSU4tVk8xQkJESlBOSVQtQ0EsQ049QUlBLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9d2luMmsxMixEQz1tYXJzaGhvdXNlP2NBQ2VydGlmaWNhdGU/YmFz
ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEB
DQUAA4IBAQB6BRo5lsw19dEii2GGE/4bisSDPYKcDxOKv5Nao3jtt3KGDs19ZFk3
hIQcScKo4+TFDDGsoQExk0NpGc3nRryL5HqK3jUIWhzz9SI+Fa/NMuHYdTqtuiAF
fUvnmwFH/d6fIEnCKVLKoOw2ZbFO92Fl+uT8QJchfpwlMWLwWi1edHP+vhSx8v8O
HG9ycnhDw4VPH7rlaSEHe3Or7Twh9F/CHpDOTPMOnqHRprUAOzjQnAlmjHsNDp/8
+smY8Z2NyhSFXnI2hXe4HOLrpEwwjD1DhdW5XQ3JW8smSJRgbQspIcmf9XNi4fAO
JvJ946dYI/JOydAV4yXvqJnNot/b+ozU
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=WIN-VO1BBDJPNIT.win2k12.marshhouse
issuer=/DC=marshhouse/DC=win2k12/CN=win2k12-WIN-VO1BBDJPNIT-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS
A+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH
A384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2210 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 640700008BAE822317D1CCBE249A1DFDE7D40963500ABC96EFD973972C689062

    Session-ID-ctx:
    Master-Key: 94B722012AAAD6270AF2304805C6D3C415B8C94E906A1B73ABDBF04CE850E710
D672A81CBB72AC2B17071B5B6F8BDD82
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473185012
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni
Sent: 06 September 2016 18:47
To: openssl-users at openssl.org
Subject: Re: A self-signed CA certificate in the CA file *sometimes* stops verification working


> On Sep 6, 2016, at 11:53 AM, John Unsworth <John.Unsworth at synchronoss.com> wrote:
> 
> I have noticed the following behaviour:
>  
> 1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B).
> 2 Whichever way the CA certificates are ordered the connect works OK.
> 3 Add a self-signed CA certificate in the file before the one for server A. The connect fails ?Verify return code: 21 (unable to verify the first certificate)?.
> 4 Move the self-signed CA certificate after the one for server A. The connect works OK.
>  
> Why should the self-signed certificate affect the connection when the required CA certificate is in the certificate file? Is this a bug?

You've provided much too little detail for a meaningful answer.

Post the server chain being validated as reported by

   $ openssl s_client -showcerts -connect <server>:443 > chain.pem
   $ openssl crl2pkcs7 -nocrl -certfile chain.pem |
     openssl pkcs7 -print_certs

and all three CA certificates.  Do not post any of the private keys.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _CAcerts.bad.fixed
Type: application/octet-stream
Size: 4522 bytes
Desc: _CAcerts.bad.fixed
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/5b3e12e1/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _CAcerts.good
Type: application/octet-stream
Size: 2572 bytes
Desc: _CAcerts.good
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/5b3e12e1/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _CAcerts.bad
Type: application/octet-stream
Size: 4445 bytes
Desc: _CAcerts.bad
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/5b3e12e1/attachment-0005.obj>
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux