Hello Steve, *If I do not indicate the location of the cert* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect > www.googleapis.com:443 > CONNECTED(00000088) > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify error:num=20:unable to get local issuer certificate > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIE3TCCA8WgAwIBAgIIDH5aJKS4GAgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNTA0MDkwNDQ5WhcNMTYwNzI3MDgzOTAw > WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEZMBcGA1UEAwwQKi5n > b29nbGVhcGlzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI8B > ycNrRlBbiRgDcbCJ9fDNbfXCbKZgU8ZVwlXQitVVd4WTPMvXBJc9Pqp8ZjdnC6wG > bQZYogxOzWjDtkmlyHmjncfWN64yOhKUrOVcueylNtMaO7RP4mId9DKRcZK+omh4 > ONvJC3wb7HSu5oKWm2jf47XUU0/XXGuX2BXQNJmXP3g56vHnRkNzfO5iygqFbMtM > 8Wu/M4agSa24HIcx55z5LhAzupoTBhNVYvyvegdIEjhXJQ1h8DyWaCnE7Ek57pba > QjlEwW7cFFA0xOMwM8SrI34kfLh43eNGFaqZn1wHieFK51WK83WLFge8fG6+qZSL > 63R+QtXlVRF5WvCvjHcCAwEAAaOCAaYwggGiMB0GA1UdJQQWMBQGCCsGAQUFBwMB > BggrBgEFBQcDAjB0BgNVHREEbTBrghAqLmdvb2dsZWFwaXMuY29tghUqLmNsaWVu > dHM2Lmdvb2dsZS5jb22CGCouY2xvdWRlbmRwb2ludHNhcGlzLmNvbYIWY2xvdWRl > bmRwb2ludHNhcGlzLmNvbYIOZ29vZ2xlYXBpcy5jb20waAYIKwYBBQUHAQEEXDBa > MCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsG > CCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1Ud > DgQWBBSCEj3sYkh+7kTDbxl2z1RuBnZq1zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY > MBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIF > ATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUu > Y29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAW3uduEkfbXschjzuWe1/ > tBFY5ZOMsaLRXyIHaHYdrrqi8NDHa/l+ukPiJZQLyEV3PKHUjFSjZKr88dw5Rw/R > NGD0QaR/4iWcvR8bn0rbHtW1k/q34CsIHLHMqDRdBA3ciJSAViwJDqo7VxIGwkuX > N0veDKwkPgbUL1Z8/HBtl74Acp11LeXP0RWEZYH/FhR9Q2XBnXDHMk8UmjIEKGTv > +ubGxdvq8JN0d++y0hPJjM+RspdrOpLIGIlvIXZefTrobuFGuwiDzdG8P8q1MaVK > 8dHSjECXVd/o81gCI3ZJ9ycHMPMpRxoC3JK21SGHDs16hHuEup2EBNW1w7JKsai5 > wQ== > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*. > googleapis.com > issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 3820 bytes and written 433 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: > 9E26D6E32758E9BC908849E57A3DBD2A9C3905604D8E63FB044B0E195C00AF1F > Session-ID-ctx: > Master-Key: > 6458E2E8555AE8A173D525FCDE2A84C39B50451CE645F81ABB1265133C3D6CF272B41F3D0F5F1E66CBB3445FB2FBBBCB > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 100800 (seconds) > TLS session ticket: > 0000 - ec 61 29 b8 43 b5 f4 1c-d7 d8 87 e1 2c b1 77 cd > .a).C.......,.w. > 0010 - 22 1d df 2e 1c e5 27 e5-7e e5 5d 0a f4 8e 67 6a > ".....'.~.]...gj > 0020 - ef 3b 54 67 20 78 bb a3-1f 74 0f 0b 01 5e e2 71 .;Tg > x...t...^.q > 0030 - 88 62 1b 4d 62 d6 8b 88-61 51 51 da 4a de 6f bc > .b.Mb...aQQ.J.o. > 0040 - eb 00 f8 02 cd 25 ed 97-a7 a6 a6 8e c2 5b cd 6b > .....%.......[.k > 0050 - 7c 91 f9 56 8b bc 16 0e-ae 25 55 c3 b1 70 1a 5d > |..V.....%U..p.] > 0060 - f2 6e 91 5a a5 84 e1 a3-d3 68 27 60 47 03 f9 03 > .n.Z.....h'`G... > 0070 - 5b 64 0c 7a f2 fd a5 07-fe 0d 4d 74 47 db 33 fb > [d.z......MtG.3. > 0080 - d9 0d fd 79 9d 21 3a c7-8f b8 5d 36 c4 f2 63 8d > ...y.!:...]6..c. > 0090 - 28 65 8e 72 20 e3 29 97-22 4f 13 3b b2 63 e1 20 (e.r > .)."O.;.c. > 00a0 - 2c a8 b8 4b ,..K > Start Time: 1462572985 > Timeout : 300 (sec) > Verify return code: 20 (unable to get local issuer certificate) --- *I point to the the newest cert* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile > 'C:\xampp\php\cacert.pem' -connect www.googleapis.com:443 > CONNECTED(000000D8) > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify return:1 > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 > verify return:1 > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *. > googleapis.com > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIE3TCCA8WgAwIBAgIITVrtsF9kKrwwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNDIwMTMyMzU0WhcNMTYwNzEzMTMwODAw > WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEZMBcGA1UEAwwQKi5n > b29nbGVhcGlzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJpY > rj57gYKRcXGpPuPQScAPqnrlIc+vLMoz9cSoC8QMh3G8M/eNeKGsOW6NT6nlKBEn > gx1QthGh4mdyBzhYXFDun3csjMA/TSE0X3sNWU5byKJHOVqmjlTu0y3wqp/3EuuE > QhJCFV+DFvcZM4w1SJANVJJzgKfpCW92NrnCSgd3fsHqUriMI5AfbARga7DyUHad > WKs7oO7izR2tfgeh8RtRLkmTmxpLWaLJusVRzzfX5m8QU0s2D3thNpMsyH+VZqqU > v0s5sSS6llM+KhFVT9xANSCTDCxBOGEg5DlhEWPfih/2pK+wUcLKbI7t+XJIr9yR > +Myt43wTyAci+EvWX4ECAwEAAaOCAaYwggGiMB0GA1UdJQQWMBQGCCsGAQUFBwMB > BggrBgEFBQcDAjB0BgNVHREEbTBrghAqLmdvb2dsZWFwaXMuY29tghUqLmNsaWVu > dHM2Lmdvb2dsZS5jb22CGCouY2xvdWRlbmRwb2ludHNhcGlzLmNvbYIWY2xvdWRl > bmRwb2ludHNhcGlzLmNvbYIOZ29vZ2xlYXBpcy5jb20waAYIKwYBBQUHAQEEXDBa > MCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsG > CCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1Ud > DgQWBBTs3g7lOYzfplaZC+O3gm5xj/bYxjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY > MBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIF > ATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUu > Y29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAmWm01cSN344EyyLjEGQN > 1y2eKIHg4n7qw9lz3Kjolv/OhMKSG17AURTIZm8O8n6g+OZUtLPaVie0bXsdt/vS > fYjj4j2vzldj9fT9CNFi0DyuxOAOujOMtu4wRKREfXhHzmUNxSbscjD9ImLd0J92 > iHqP9QsFvmUz/dsyQixeZ4aqeW/ogOddje3GgB5EfINH3K8g+OFVJvJUc4wFvMMa > JfPJoCBOudrejPM5Zp3yQCQZ1GhTf906PVfAtHtAXE/QQKMqqneem3SSn4cJV1+H > zfejHoNYmh6eAA8W6Stw7HGDmsNCijzhwrROnsQ1p4QF5qYtdUhshZS6WdkBE4E1 > ZA== > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*. > googleapis.com > issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 3820 bytes and written 433 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: > E2EFF653C6852A4ABF4A3045702E9EF0C82EC8DEB46F522F70B5654A8A43CFA5 > Session-ID-ctx: > Master-Key: > 76EB07CAD8978DC7CF53EB6DBAED18A2B564A8E4BBBE97FA3086631F791C631632D70E48546EEF9E07E379BD35B0EE5A > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 100800 (seconds) > TLS session ticket: > 0000 - ec 61 29 b8 43 b5 f4 1c-d7 d8 87 e1 2c b1 77 cd > .a).C.......,.w. > 0010 - ea 29 f3 d0 b9 21 f1 0c-2c 04 ee 1a 1e b2 65 aa > .)...!..,.....e. > 0020 - 8b d6 1a 0f 9f 6e 8d 01-e2 1e 88 dc 43 29 dc bf > .....n......C).. > 0030 - 7e 92 e5 41 c8 3d 02 01-be 81 89 67 aa 9b a4 5c > ~..A.=.....g...\ > 0040 - 59 7a ed 01 e1 ff 6d 6f-c0 65 f7 f0 aa 4a 46 ad > Yz....mo.e...JF. > 0050 - d4 d3 84 39 80 f2 84 98-bd 22 f5 31 9a ae 77 7d > ...9.....".1..w} > 0060 - 90 c0 35 7f c1 30 18 1a-8d 3a a5 47 9a fd 65 f0 > ..5..0...:.G..e. > 0070 - 77 93 8c a2 95 8b a3 80-79 7d a3 6b 9d bf 62 8e > w.......y}.k..b. > 0080 - c3 d8 17 ac c2 9f c5 e9-51 a6 34 7e 65 9a 69 9b > ........Q.4~e.i. > 0090 - 92 7c cc 10 96 cb 14 d9-b6 60 f5 d5 f0 e1 bf f0 > .|.......`...... > 00a0 - 77 f1 0c 1b w... > Start Time: 1462573288 > Timeout : 300 (sec) > Verify return code: 0 (ok) --- *When I point to the old cert* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile > 'C:\xampp\php\cacert_old.pem' -connect www.googleapis.com:443 > CONNECTED(00000140) > depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority > verify return:1 > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify return:1 > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 > verify return:1 > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *. > googleapis.com > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com > i:/C=US/O=Google Inc/CN=Google Internet Authority G2 > 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIE3TCCA8WgAwIBAgIIDH5aJKS4GAgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE > BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl > cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNTA0MDkwNDQ5WhcNMTYwNzI3MDgzOTAw > WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN > TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEZMBcGA1UEAwwQKi5n > b29nbGVhcGlzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI8B > ycNrRlBbiRgDcbCJ9fDNbfXCbKZgU8ZVwlXQitVVd4WTPMvXBJc9Pqp8ZjdnC6wG > bQZYogxOzWjDtkmlyHmjncfWN64yOhKUrOVcueylNtMaO7RP4mId9DKRcZK+omh4 > ONvJC3wb7HSu5oKWm2jf47XUU0/XXGuX2BXQNJmXP3g56vHnRkNzfO5iygqFbMtM > 8Wu/M4agSa24HIcx55z5LhAzupoTBhNVYvyvegdIEjhXJQ1h8DyWaCnE7Ek57pba > QjlEwW7cFFA0xOMwM8SrI34kfLh43eNGFaqZn1wHieFK51WK83WLFge8fG6+qZSL > 63R+QtXlVRF5WvCvjHcCAwEAAaOCAaYwggGiMB0GA1UdJQQWMBQGCCsGAQUFBwMB > BggrBgEFBQcDAjB0BgNVHREEbTBrghAqLmdvb2dsZWFwaXMuY29tghUqLmNsaWVu > dHM2Lmdvb2dsZS5jb22CGCouY2xvdWRlbmRwb2ludHNhcGlzLmNvbYIWY2xvdWRl > bmRwb2ludHNhcGlzLmNvbYIOZ29vZ2xlYXBpcy5jb20waAYIKwYBBQUHAQEEXDBa > MCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsG > CCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1Ud > DgQWBBSCEj3sYkh+7kTDbxl2z1RuBnZq1zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY > MBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIF > ATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUu > Y29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAW3uduEkfbXschjzuWe1/ > tBFY5ZOMsaLRXyIHaHYdrrqi8NDHa/l+ukPiJZQLyEV3PKHUjFSjZKr88dw5Rw/R > NGD0QaR/4iWcvR8bn0rbHtW1k/q34CsIHLHMqDRdBA3ciJSAViwJDqo7VxIGwkuX > N0veDKwkPgbUL1Z8/HBtl74Acp11LeXP0RWEZYH/FhR9Q2XBnXDHMk8UmjIEKGTv > +ubGxdvq8JN0d++y0hPJjM+RspdrOpLIGIlvIXZefTrobuFGuwiDzdG8P8q1MaVK > 8dHSjECXVd/o81gCI3ZJ9ycHMPMpRxoC3JK21SGHDs16hHuEup2EBNW1w7JKsai5 > wQ== > -----END CERTIFICATE----- > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*. > googleapis.com > issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 3820 bytes and written 433 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: > AD9140FB81BD95DBE9B7E9DDAC5CCA6CA4463112D9A7CBB31E643F40A420F310 > Session-ID-ctx: > Master-Key: > E35F7968B42F46F0900D21A3ED08016893CCBE4723ECD1C11C6F130A5FA08F714B3C0D75DDD23C65A550F64643E7C74D > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 100800 (seconds) > TLS session ticket: > 0000 - ec 61 29 b8 43 b5 f4 1c-d7 d8 87 e1 2c b1 77 cd > .a).C.......,.w. > 0010 - 0c f9 5f dc 91 1b 88 8b-01 a4 28 2f 02 24 56 89 > .._.......(/.$V. > 0020 - f1 d4 11 fd 35 83 9d 0d-a2 35 9c c2 6b 0c b4 2b > ....5....5..k..+ > 0030 - 21 d2 76 5e 99 16 ca 25-2d 6c 52 44 56 f8 e1 87 > !.v^...%-lRDV... > 0040 - bd 3a 69 48 bd fe eb 53-c4 21 d4 4e ef ba b3 69 > .:iH...S.!.N...i > 0050 - 2e 00 fe 7c 94 5f 62 fa-25 c0 3e 38 f5 22 ca 78 > ...|._b.%.>8.".x > 0060 - 31 0a 73 9c 44 f5 6b 41-e5 f1 4a 56 e0 6e ee 38 > 1.s.D.kA..JV.n.8 > 0070 - e2 61 03 d6 96 f9 86 e1-98 03 c9 ea ea 53 b6 0c > .a...........S.. > 0080 - aa 2c fb 3d bd f0 d7 5e-69 2e 16 cf ce 2c c3 1a > .,.=...^i....,.. > 0090 - 2d b3 7f 61 c1 ad 87 87-8d 5d c6 7d d5 15 28 0b > -..a.....].}..(. > 00a0 - 1d c1 db ef .... > Start Time: 1462573578 > Timeout : 300 (sec) > Verify return code: 0 (ok) > > On Fri, May 6, 2016 at 2:19 PM, Stephen Henson via RT <[email protected]> wrote: > On Fri May 06 00:33:47 2016, [email protected] wrote: > > > > I updated the openssl version to 1.0.2h and reran. Was able to > > reproduce. *Old > > pem works newer pem fails*. > > > > Can you reproduce this using s_client? > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4510 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4510 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
