>From: [email protected] On Behalf Of Peter Eckersley
>Sent: Monday, 09 July, 2012 19:59
># now try to verify it. Note that "allcerts" was a poorly chosen
>directory name. It should have been allCAs...
>openssl verify -untrusted twitter.com.results_2.pem
>-CApath ../allcerts/ twitter.com.results_1.pem
># with openssl 0.9.8*, the above command will print
># twitter.com.results_1.pem: OK
>#
># but with 1.0.1c, it gives:
># error 20 at 1 depth lookup:unable to get local issuer certificate
The CA-dir (CApath) hashnames used by >=1.0.0 are changed from 0.9.8.
You must c_rehash, or equivalent; or use -CAfile instead.
This also affects other commandline utilities that verify a cert
if used with -CApath e.g. s_client smime . And any other programs
that invoke cert verification with that CA-dir as a truststore.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
