I am using openssl v0.9.8r and I tried running this co开发者_如何学编程mmand (with the CA file name as cacert.pem in the directory in which I was running)
openssl s_client -CAfile cacert.pem -CApath ./ -connect mail.google.com:443
And the verification failed as follows
Verify return code: 20 (unable to get local issuer certificate)
However when I tried the same command on one of the older versions namely OpenSSL 0.9.8e-fips-rhel5 it succeeded as expected. Am I missing something here? I would greatly appreciate any help I can get as I have been stuck with openssl issues for a while now. Thanks a lot in advance.
Regards
Hari
From the OpenSSL Verify page
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
As you can guess, this means the CA failed to load or validate. This can be caused by any number of reason, but here's a good checklist.
- Permissions. On Linux try sudo. On Windows try "Run as Administrator".
Try using the verify command with both versions and see if you get the same error.
openssl verify -CAfile cacert.pem -CApath ./
Missing/misplaced files. Something might have changed in that folder since you were running.
- Path. Try running the command from the same directory you were in when you ran the command from OpenSSL 0.9.8e-fips-rhel5.
This one is closer to a bug than a feature, but it's a feature so long as we document it ;-)
c_rehash /etc/ssl/certs
精彩评论