Why does OpenSSL report google's certificate is "self-signed"?

Nan Xiao xiaonan830818 at gmail.com
Wed Mar 31 05:49:31 UTC 2021


Hi OpenSSL users,

Greetings from me!

I am using the master branch of OpenSSL and testing client-arg program
(in demos/bio) with "google.com:443":

# LD_LIBRARY_PATH=/root/openssl/build gdb --args ./client-arg -connect
"google.com:443"
......
(gdb)
91     if (BIO_do_connect(sbio) <= 0) {
(gdb)
97     if (BIO_do_handshake(sbio) <= 0) {
(gdb) p ssl->verify_result
$1 = 18

The connection is successful, but the ssl->verify_result is 18, i.e.,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. I am a little confused why
OpenSSL reports google's certificate is "self-signed"? And it should
be not. The following result is from "openssl s_client":

# openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN
= *.google.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN =
*.google.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---

Anyone can give some clues? Thanks very much in advance!

Best Regards
Nan Xiao


More information about the openssl-users mailing list