[openssl-users] Strange problem with openssl

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Nov 10 16:33:41 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Paul Schmehl
> Sent: Thursday, November 09, 2017 20:09
> To: openssl-users at openssl.org
> Subject: [openssl-users] Strange problem with openssl
> When I run openssl s_client -connect wiki.vvfh.org:443, I get the following
> error:  Verify return code: 18 (self signed certificate)
> This is very odd, because ssllabs.com scores the site as an A, and says the
> chain is intact, no missing parts. Yet, for some reason, ssl doesn't see it
> that way. Furthermore, it sees the certs as self-signed, which makes no
> sense at all.

It sees *a* certificate as self-signed. And indeed there is one. You're sending the entire chain, including the root. By definition, the root is self-signed.

So s_client is saying: I'm verifying the chain from the server, and I got to the point where I found a self-signed certificate (which is the same as saying "I found a root certificate").

OpenSSL isn't contradicting ssllabs. s_client reports the whole chain is there.

> Even more confusing, if I verify the cert from the commandline, openssl
> says it's OK.
> openssl verify -untrusted
> comodo-rsa-domain-validation-sha-2-w-root.ca-bundle STAR_vvfh_org.crt
> STAR_vvfh_org.crt: OK

s_client isn't saying the certificate isn't OK. It's saying it received a root certificate from the server.

You didn't give s_client any trust anchors to verify the chain. So it's going to walk the whole chain, and it's going to find the root, and it's going to complain about that.

Programs don't normally send the root certificate, on the grounds that if the peer doesn't already have it, they're not going to trust it anyway. But it's not forbidden.

Try this:

1. Run "openssl s_client -connect wiki.vvfh.org:443 -showcerts". Copy the last certificate in the output (which will be the root) and paste it into tmp.pem.
2. Run " openssl s_client -connect wiki.vvfh.org:443 -verify 2 -CAfile tmp.pem". No complaint from s_client now.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list