On 22 March 2013 00:19, barcaroller <barcarol...@gmail.com> wrote: > > When the openssl s_server program is unable to verify a client certificate, it prints out the following error message: > > verify error:num=21:unable to verify the first certificate > verify return:1 > > but then continues running as if nothing happened. Shouldn't the program stop immediately?
It is a intentional "feature". But I think the s_server's documentation is missing an important thing mentioned for s_client. http://www.openssl.org/docs/apps/s_client.html#item__verify -verify depth The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. *As a side effect the connection will never fail due to a server certificate verify failure*. P
