Thanks for taking the time to look into my problem, I just now figured it out. The short answer is I was mistaken about the root cert being in the store. There was another root cert in the store from verisign with the exact same name, but it had a different serial number. I didn't realize my mistake, because when I tried to verify the connection to the server using "openssl s_client" it fully verified the certificate chain, but it could only verify the certificate chain because my assistant had manually installed one of the intermediate certs in the certificate store. This led me to improperly conclude that there was an option I was missing in the code.
So, thanks very much for you time and effort in helping to dispel my confusion. - David On Tue, Jan 22, 2013 at 3:39 PM, Dave Thompson <dthomp...@prinpay.com>wrote: > >From: owner-openssl-us...@openssl.org On Behalf Of David Hinkle > >Sent: Monday, 21 January, 2013 19:48 > > >So I've got my ssl client working pretty well. It does great with > >most websites, but some of them it doesn't verify the certificate chain > >for, returning the above error. The CA root cert in question is in > >the certificate store, and the server isn't actually sending the root > >so I'm pretty sure that openssl has even found it in the store and is > >trying to verify it. I've pasted the details below of a certificate > >that is working (Equifax) and one that isn't (Verisign). The only clue > >that I have is that the Verisign cert doesn't have any extensions on it. > >Maybe by default the openssl library is requiring the cert to be > configured > > >to be able to sign other certs? If this is true, what can I do? > >Any guidance or ideas appreciated. I'm not sure what to do next. > > *If* an issuing cert has KeyUsage extension it must include certSign, > but if the extension is absent (and all extensions are absent in v1) > it is allowed for backward compatibility. I do this in test almost > all the time because it's quicker to set up. > > How are you sure of your other statements above? As I read the code, > verify 19 occurs only if the peer *does* send the root and it is > *not* found in the local truststore. > > Is your truststore in OpenSSL's default format (CAfile and/or CApath) > or can it be converted to that? If so, try commandline s_client > which will show you the cert chain (and callback steps). > (Even without any truststore it will show you the chain.) > > Are you sure you have the *correct* Verisign root? There are about > a dozen published Verisign roots many of which have very similar -- > but not identical -- names. They are not interchangeable, although > in at least one case I looked at there is a "bridge" cert to > (optionally and alternatively) chain a newer root to an older. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- *David Hinkle* *Senior Software Developer* *Phone:* 800.243.3729x3000 *Email:* hin...@cipafilter.com *Hours:* Mon-Fri 8:00AM-5:00PM (CT)
