Maybe that's a bug in OpenSSL 0.9.8o? The docs for verify say "It is an error if the whole chain cannot be built up."
.................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bruce Stephens Sent: Wednesday, November 03, 2010 12:59 PM To: [email protected] Subject: Re: openssl verify fails Erik Tkal <[email protected]> writes: > Hi Michael, > > Your "rootcacert" is not a root cert, as it was issued by "C=US, > ST=UT, L=Salt Lake City, O=The USERTRUST Network, > OU=http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication > and Email". You need to append that cert as well to your CAfile. That seems to be a change in behaviour. 0.9.8o is happy: brs% openssl version OpenSSL 0.9.8o 01 Jun 2010 brs% openssl verify -verbose -CAfile rootcacert.pem subcacert.pem subcacert.pem: OK brs% openssl verify -issuer_checks -CAfile rootcacert.pem subcacert.pem subcacert.pem: /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN error 29 at 0 depth lookup:subject issuer mismatch /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN error 29 at 0 depth lookup:subject issuer mismatch /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Class 3 CA 3:PN error 29 at 0 depth lookup:subject issuer mismatch /C=DE/O=SCA Deutsche Post Com GmbH/CN=Signtrust CERT Root CA 1:PN error 29 at 0 depth lookup:subject issuer mismatch OK [...] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
