I was hoping to get a better understanding of how to use 'verify'
to verify server certificates.
Om my CentOS host, I can direct 's_client' to use the default
CA certificate store to to collect a Google SSL certificate, and this
passes a verify check:
# openssl s_client -CApath /etc/pki/tls/cert.pem \
-connect www.google.com:443 < /dev/null > out.google.pem
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
DONE
If I try to re-verify this certificate, though, it fails:
# openssl verify -verbose -CAfile /etc/pki/tls/cert.pem \
-purpose sslserver -issuer_checks out.google.pem
out.google.pem: /C=US/ST=California/L=Mountain View/O=Google
Inc/CN=www.google.com
error 29 at 0 depth lookup:subject issuer mismatch
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com error 29
at 0 depth lookup:subject issuer mismatch
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com error 29
at 0 depth lookup:subject issuer mismatch
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com error 29
at 0 depth lookup:subject issuer mismatch
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com error 20
at 0 depth lookup:unable to get local issuer certificate
Clearly, I'm doing something wrong here. Am I misunderstanding what
'verify' is for? Am I mis-invoking it?
FWIW, my environment:
# cat /etc/redhat-release
CentOS release 5.4 (Final)
# rpm -qf /etc/pki/tls/cert.pem
openssl-0.9.8e-12.el5_4.6
Thanks for any feedback...
--
Brian Reichert <reich...@numachi.com>
BSD admin/developer at large
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
