Hi, recently when we bought certificate from Verisign, our cert has new root Certificate which is “VeriSign Class 3 Public Primary Certification Authority - G5”. This cert is quite strange when I run it at the openssl s_cilent command line, it won't stop at G5, it will go to another cert "Class 3 Public Primary Certification Authority", Here is part of the command line output:
C:\OpenSSL-Win32\bin>openssl s_client -connect xxx.xxx.com:443 -CAfile "<cert_path>\cert.pem" Loading 'screen' into random state - done CONNECTED(00000160) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 200 6 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primar y Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = US, ST = Pennsylvania, L = xxxx, O = xxxx, OU = xxxx, OU = Terms of use at www.verisign.com/rpa (c)05, CN = xxx.xxx.com verify return:1 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=xxxx/O=xxxx/OU=xxxx/OU=Terms of use at www .verisign.com/rpa (c)05/CN=xxx.xxx.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/ /www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/ /www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth ority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth ority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Note that it doesn't stop at “VeriSign Class 3 Public Primary Certification Authority - G5”. However firefox will stop at that cert. From the cert, its issuer is: CN = VeriSign Class 3 Public Primary Certification Authority - G5 OU = (c) 2006 VeriSign, Inc. - For authorized use only OU = VeriSign Trust Network O = VeriSign, Inc. C = US which is itself. Any idea? Did some search on internet and didn't find any useful information on this, however see this post: http://efreedom.com/Question/2-72580/OpenSSL-Certificate-Signature-Failure-Error which has the same verification chain as I saw here. My second question is that for the root CA used here "Class 3 Public Primary Certification Authority", there are both expired and unexpired cert at CAfile (one is expired at 2004, one is good till 2028, we probably should not do that in the first place, however the software is already at customer, not easy to change this). The strange behavior I saw here is that openssl sometimes uses the expired cert, sometimes uses the unexpired cert which really get me confused. At the above openssl s_client run, the verification is ok, however after I just removed 2 certs from the CAfile, now s_client starts complaining that root cert is expired: C:\OpenSSL-Win32\bin>openssl s_client -connect xxx.xxx.com:443 -CAfile "<cert_path>\cert.pem" Loading 'screen' into random state - done CONNECTED(00000160) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify error:num=10:certificate has expired notAfter=Jan 7 23:59:59 2004 GMT verify return:0 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=xxxx/O=xxxx/OU=xxxx/OU=Terms of use at www .verisign.com/rpa (c)05/CN=xxx.xxx.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/ /www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/ /www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth ority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth ority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Just wonder what sequence openssl is used to build up the certification verification chain. Is this an openssl bug? Do you see this problem before? Really appreciated. Thanks, Pingzhong Li -- View this message in context: http://old.nabble.com/strange-behavior-of-self-signed-cert-%E2%80%9CVeriSign-Class-3-Public-Primary-Certification-Authority---G5%E2%80%9D.-tp30506166p30506166.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
