[openssl-dev] [openssl.org #4510] SSL certificate problem: unable to get local issuer certificate. Bug?

SMS Conversation via RT rt at openssl.org
Fri May 6 22:18:46 UTC 2016 

>
> PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect
> www.googleapis.com:443
> CONNECTED(00000088)
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify error:num=20:unable to get local issuer certificate
> ---
> Certificate chain
>  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.googleapis.com
>    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
>  1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
>    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>  2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIE3TCCA8WgAwIBAgIIDH5aJKS4GAgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
> BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
> cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNTA0MDkwNDQ5WhcNMTYwNzI3MDgzOTAw
> WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
> TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEZMBcGA1UEAwwQKi5n
> b29nbGVhcGlzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI8B
> ycNrRlBbiRgDcbCJ9fDNbfXCbKZgU8ZVwlXQitVVd4WTPMvXBJc9Pqp8ZjdnC6wG
> bQZYogxOzWjDtkmlyHmjncfWN64yOhKUrOVcueylNtMaO7RP4mId9DKRcZK+omh4
> ONvJC3wb7HSu5oKWm2jf47XUU0/XXGuX2BXQNJmXP3g56vHnRkNzfO5iygqFbMtM
> 8Wu/M4agSa24HIcx55z5LhAzupoTBhNVYvyvegdIEjhXJQ1h8DyWaCnE7Ek57pba
> QjlEwW7cFFA0xOMwM8SrI34kfLh43eNGFaqZn1wHieFK51WK83WLFge8fG6+qZSL
> 63R+QtXlVRF5WvCvjHcCAwEAAaOCAaYwggGiMB0GA1UdJQQWMBQGCCsGAQUFBwMB
> BggrBgEFBQcDAjB0BgNVHREEbTBrghAqLmdvb2dsZWFwaXMuY29tghUqLmNsaWVu
> dHM2Lmdvb2dsZS5jb22CGCouY2xvdWRlbmRwb2ludHNhcGlzLmNvbYIWY2xvdWRl
> bmRwb2ludHNhcGlzLmNvbYIOZ29vZ2xlYXBpcy5jb20waAYIKwYBBQUHAQEEXDBa
> MCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsG
> CCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1Ud
> DgQWBBSCEj3sYkh+7kTDbxl2z1RuBnZq1zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY
> MBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIF
> ATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUu
> Y29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAW3uduEkfbXschjzuWe1/
> tBFY5ZOMsaLRXyIHaHYdrrqi8NDHa/l+ukPiJZQLyEV3PKHUjFSjZKr88dw5Rw/R
> NGD0QaR/4iWcvR8bn0rbHtW1k/q34CsIHLHMqDRdBA3ciJSAViwJDqo7VxIGwkuX
> N0veDKwkPgbUL1Z8/HBtl74Acp11LeXP0RWEZYH/FhR9Q2XBnXDHMk8UmjIEKGTv
> +ubGxdvq8JN0d++y0hPJjM+RspdrOpLIGIlvIXZefTrobuFGuwiDzdG8P8q1MaVK
> 8dHSjECXVd/o81gCI3ZJ9ycHMPMpRxoC3JK21SGHDs16hHuEup2EBNW1w7JKsai5
> wQ==
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.
> googleapis.com
> issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 3820 bytes and written 433 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>     Session-ID:
> 9E26D6E32758E9BC908849E57A3DBD2A9C3905604D8E63FB044B0E195C00AF1F
>     Session-ID-ctx:
>     Master-Key:
> 6458E2E8555AE8A173D525FCDE2A84C39B50451CE645F81ABB1265133C3D6CF272B41F3D0F5F1E66CBB3445FB2FBBBCB
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 100800 (seconds)
>     TLS session ticket:
>     0000 - ec 61 29 b8 43 b5 f4 1c-d7 d8 87 e1 2c b1 77 cd
> .a).C.......,.w.
>     0010 - 22 1d df 2e 1c e5 27 e5-7e e5 5d 0a f4 8e 67 6a
> ".....'.~.]...gj
>     0020 - ef 3b 54 67 20 78 bb a3-1f 74 0f 0b 01 5e e2 71   .;Tg
> x...t...^.q
>     0030 - 88 62 1b 4d 62 d6 8b 88-61 51 51 da 4a de 6f bc
> .b.Mb...aQQ.J.o.
>     0040 - eb 00 f8 02 cd 25 ed 97-a7 a6 a6 8e c2 5b cd 6b
> .....%.......[.k
>     0050 - 7c 91 f9 56 8b bc 16 0e-ae 25 55 c3 b1 70 1a 5d
> |..V.....%U..p.]
>     0060 - f2 6e 91 5a a5 84 e1 a3-d3 68 27 60 47 03 f9 03
> .n.Z.....h'`G...
>     0070 - 5b 64 0c 7a f2 fd a5 07-fe 0d 4d 74 47 db 33 fb
> [d.z......MtG.3.
>     0080 - d9 0d fd 79 9d 21 3a c7-8f b8 5d 36 c4 f2 63 8d
> ...y.!:...]6..c.
>     0090 - 28 65 8e 72 20 e3 29 97-22 4f 13 3b b2 63 e1 20   (e.r
> .)."O.;.c.
>     00a0 - 2c a8 b8 4b                                       ,..K
>     Start Time: 1462572985
>     Timeout   : 300 (sec)
>     Verify return code: 20 (unable to get local issuer certificate)
> ---
>
>
> On Fri, May 6, 2016 at 2:19 PM, Stephen Henson via RT <rt at openssl.org>
> wrote:
> >
> > I updated the openssl version to 1.0.2h and reran. Was able to
> > reproduce. *Old
> > pem works newer pem fails*.
> >
> Can you reproduce this using s_client?
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4510
> Please log in as guest with password guest if prompted
>
On Fri May 06 00:33:47 2016, nbhfgq at gmail.com wrote:
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4510
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list