Why does OpenSSL report google's certificate is "self-signed"?
Nan Xiao
xiaonan830818 at gmail.com
Wed Mar 31 05:49:31 UTC 2021
Hi OpenSSL users,
Greetings from me!
I am using the master branch of OpenSSL and testing client-arg program
(in demos/bio) with "google.com:443":
# LD_LIBRARY_PATH=/root/openssl/build gdb --args ./client-arg -connect
"google.com:443"
......
(gdb)
91 if (BIO_do_connect(sbio) <= 0) {
(gdb)
97 if (BIO_do_handshake(sbio) <= 0) {
(gdb) p ssl->verify_result
$1 = 18
The connection is successful, but the ssl->verify_result is 18, i.e.,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. I am a little confused why
OpenSSL reports google's certificate is "self-signed"? And it should
be not. The following result is from "openssl s_client":
# openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN
= *.google.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN =
*.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Anyone can give some clues? Thanks very much in advance!
Best Regards
Nan Xiao
More information about the openssl-users
mailing list