On Wed, Jan 22, 2014 at 09:40:39PM +0000, Viktor Dukhovni wrote:
> > Verify return code: 0 (ok)
>
> The return code from the verify callback is not the certificate
> verification status. It just means the client is willing to keep
> going.
Sorry, small correction, in s_client when you see:
...
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mail.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = mail.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
...
Compression: 1 (zlib compression)
Start Time: 1390431462
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Indeed the final "Verify return code" is the certificate verification
status. It is the earlier "verify return" messages that show the
callback processing.
So with "Verify return code: 0 (ok)", you must have specified a
usable CAfile or the system default location had the requisitie
root CA.
--
Viktor.
