> On Nov 19, 2018, at 1:15 AM, Ken <OpenSSL@xxxxxx> wrote: > > There are no stale intermediate certificates on my computer. The evidence suggests otherwise. > Also, strace shows that it is looking for the correct CA certificate > (/var/lib/ca-certificates/openssl/4bfab552.0), and being told that it > exists - but with the newer version of openssl, it never tries to open > the CA certificate (the older version does). The newer code uses a "trusted first" policy, which means that the intermediate certificate comes from the trust store, not the peer. When it fails to validate (as reported, the failure is verifying the issuer, not leaf certificate) one can reasonably conclude that there's something wrong with an intermediate issuer certificate in the trust store. You can check by creating a new file that contains just the expected root CA and nothing else, and setting CAfile to that, and CApath to an empty directory. Please report the results. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
