> How about serialnumber? Is it possible that the server is clustered > as you hypothesized, and different instances have different certs -- > both/all for the same subject=server (as would make sense), > but one of them > invalid?
Serial number is the same. > I don't think there's any easy way; this is buried in lowlevel code. > If you're running on an OS that provides system-call tracing > you could try that. You could try using ca-file instead of ca-path, > i.e. combine all the certs into one file; using load_verify_locations > or set_default_verify_paths that loads all certs into memory > at startup > instead of accessing them separately from the directory when needed. > That doesn't allow changing the trust-list while your program > is running > if that matters, but it might help narrow down the problem. Tried combining all certificates and specifying one file, same result, works most of the time then suddenly doesn't. echo " " | openssl s_client -debug -connect xxxxxxx:443 -CAfile /home/sm/ssl/all.cert > z.z depth=0 /1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=03266266/C=GB/ST=Hampshire/L=Portsmouth/O=x/OU=x/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=03266266/C=GB/ST=Hampshire/L=Portsmouth/O=xt/OU=x/OU=Term s of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign verify error:num=27:certificate not trusted verify return:1 depth=0 /1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=03266266/C=GB/ST=Hampshire/L=Portsmouth/O=x/OU=x/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign verify error:num=21:unable to verify the first certificate verify return:1 DONE echo " " | openssl s_client -debug -connect xxxxxxx:443 -CAfile /home/sm/ssl/all.cert > z.z depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA verify return:1 depth=0 /1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=03266266/C=GB/ST=Hampshire/L=Portsmouth/O=x/OU=x/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign verify return:1 DONE -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
