Hi, I'm running into an issue (with both 0.9.7l and 0.9.8g) where I'm attempting to connect to a server with a client certificate and what appears to be a complete chain of server certificates, and yet I'm still getting the 'unknown ca' error.
My command line is: openssl s_client \ -connect [HOST]:443 \ -CAfile server_chain.pem \ -cert client_keypair.pem \ -key client_keypair.pem The output I see is (from 0.9.8g on Ubuntu, and I've redacted the company details): CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign verify return:1 depth=0 /C=[HOST]/ST=[HOST]/L=[HOST]/O=[COMPANY NAME]./OU=[HOST]/CN=[HOST] verify return:1 4645:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1053:SSL alert number 48 4645:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: To my (admittedly noob-ish) eyes, it appears that everything in the chain has been validated successfully. If I remove the -CAfile parameter, I get the following output (again 0.9.8g on Ubuntu): CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 4661:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1053:SSL alert number 48 4661:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: The above makes a little more sense to me, as the CA certificate isn't (I guess) in the default set shipped with the OS. Similar errors occur in 0.9.7l on MacOSX 10.5.6, but with different line numbers in the source files. Is there something I'm doing wrong here? Many thanks, Paul ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org