SSL_CTX_set_verify uses the "wrong" certificate chain (cross signed certificate )

Angus Robertson - Magenta Systems Ltd angus at
Sat Oct 2 17:21:00 UTC 2021

> Yes.  To make things even more complex, a few sites also have an 
> older version of R3 that is directly signed by the DST root:
>      - leaf <- R3 <- DST Root CA X3 (self-signed)
> but that's far from common at this point.

That old R3 root was issued last winter and got installed in Windows
Server 2018 intermediate stores then, and was still being sent out on
29th and 30th, despite expiring on 29th.  

Perhaps because IIS caches server certificates.  I had to delete it
from the Windows store and reboot the server to stop it being sent out
by IIS. 


More information about the openssl-users mailing list