Openssl s_Client doesn't verify certificates in 0.9.8r

Question

I am using openssl v0.9.8r and I tried running this command (with the CA file name as cacert.pem in the directory in which I was running)

openssl s_client -CAfile cacert.pem -CApath ./ -connect mail.google.com:443

And the verification failed as follows

Verify return code: 20 (unable to get local issuer certificate)

However when I tried the same command on one of the older versions namely OpenSSL 0.9.8e-fips-rhel5 it succeeded as expected. Am I missing something here? I would greatly appreciate any help I can get as I have been stuck with openssl issues for a while now. Thanks a lot in advance.

Regards

Hari

Answer 1

From the OpenSSL Verify page

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate

the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.

As you can guess, this means the CA failed to load or validate. This can be caused by any number of reason, but here's a good checklist.

• Permissions. On Linux try sudo. On Windows try "Run as Administrator".

• Try using the verify command with both versions and see if you get the same error.

  openssl verify -CAfile cacert.pem -CApath ./

• Missing/misplaced files. Something might have changed in that folder since you were running.

• Path. Try running the command from the same directory you were in when you ran the command from OpenSSL 0.9.8e-fips-rhel5.