openssl s_client : verify error:num=20:unable to get local issuer certificate

small tips.

Here’s how to solve an error “verify error:num=20:unable to get local issuer certificate” when connecting to HTTPS sites with “openssl s_client” command.

# openssl s_client -connect google.com:443 CONNECTED(00000003) depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com   i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority

There are two ways to solve this.

1. specify server certification file

create a file pasted from “-----BEGIN CERTIFICATE-----“ to “-----END CERTIFICATE-----
“

# cat google.crt -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE-----

specify the file by -Cafile option.

# openssl s_client -CAfile google.crt -connect www.google.com:443 -debug -showcerts CONNECTED(00000003) write to 0x1944250 [0x196b780] (226 bytes => 226 (0xE2)) 0000 - 16 03 01 00 dd 01 00 00-d9 03 02 51 42 cb 45 7a   ...........QB.Ez 0010 - 10 cc 75 53 74 bc 61 6e-29 98 28 64 30 23 69 d7   ..uSt.an).(d0#i. 0020 - 76 8e 16 2b 58 ec 93 76-62 4a 82 00 00 66 c0 14   v..+X..vbJ...f.. <snip>    0050 - f6 69 67 d4 a0 c0 9c d1-8e fb c2 e7 ea a3 a6 d6   .ig.............    0060 - d4 48 fa 77 9a d7 24 09-49 e9 8b 7d f4 de ad 2d   .H.w..$.I..}...-    0070 - d5 ac a7 a7 c6 4d f5 07-bc bd 08 a5 cf 97 02 91   .....M..........    0080 - e5 41 df 87 a9 df 93 df-86 af f6 38 e7 46 c3 b3   .A.........8.F..    0090 - 98 63 60 df                                       .c`.    Start Time: 1363331909    Timeout   : 300 (sec)    Verify return code: 0 (ok) --- GET / HTTP/1.0 write to 0x1944250 [0x1975233] (40 bytes => 40 (0x28)) 0000 - 17 03 02 00 23 15 22 62-d2 f3 45 c2 7d 0a 6d 04   ....#."b..E.}.m. 0010 - 28 b9 01 ad dd 57 46 30-78 f6 75 04 e7 4a cf 4b   (....WF0x.u..J.K <snip> #

2. specify root ca certification file

In case of ubuntu 12.04 , ca cert file is located under /etc/ssl/certs/ca-certificates.crt
The file name and the location of CA cert file might differ from distributions or versions.

root@ubuntu1204-vm1:~# update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. root@ubuntu1204-vm1:~# updatedb root@ubuntu1204-vm1:~# locate ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

specify CA cert file.

root@ubuntu1204-vm1:~# openssl s_client -CAfile /etc/ssl/certs/ca-certificates.c rt -connect www.google.com:443 -debug -showcerts CONNECTED(00000003) write to 0x2309250 [0x2330780] (226 bytes => 226 (0xE2))

openssl s_client コマンド。

これ使うと、いろいろな ssl ( https , smtps , pops ) など、CLI で確認できるなー。

-port を変えれば OK

smtps なら、-port 465
pop3s なら　-port 995

という感じ。


下記は https 接続した結果。
下記の GET / HTTP/1.0 を手動で入力した。
Cipher suite , session id なども表示されるし結構使えそう

-reconnect セッションIDを使用

# openssl s_client -host 127.1 -port 443 -state -prexit -reconnect
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
i:/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAnagAwIBAgIJAMJwWXsMGXqAMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
BAYTAkpQMQ0wCwYDVQQIEwR0ZXN0MQ0wCwYDVQQHEwR0ZXN0MQ0wCwYDVQQKEwR0
ZXN0MQ0wCwYDVQQLEwR0ZXN0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcN
MDkxMjAyMTEyODMxWhcNMTAxMjAyMTEyODMxWjBjMQswCQYDVQQGEwJKUDENMAsG
A1UECBMEdGVzdDENMAsGA1UEBxMEdGVzdDENMAsGA1UEChMEdGVzdDENMAsGA1UE
CxMEdGVzdDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCxrGpZNmMmtIcg2uLE0yyotpickrJtgX/RxCIVHzeU0F3k
DT3QqvFqUFXo0RxXhZnKuyYfnZ0qnCbZ8sy60SL/+LGh1AGozsNYTlaCNz1EwkTq
TA0KwpzCn09v3p/VtXUrF9tGssuSLeQB/W1wbeIf0dCtjPn0zE01yco68wF6lQID
AQABo4HIMIHFMB0GA1UdDgQWBBRo75XE4Idmihu76PS8FN+vDs/bUzCBlQYDVR0j
BIGNMIGKgBRo75XE4Idmihu76PS8FN+vDs/bU6FnpGUwYzELMAkGA1UEBhMCSlAx
DTALBgNVBAgTBHRlc3QxDTALBgNVBAcTBHRlc3QxDTALBgNVBAoTBHRlc3QxDTAL
BgNVBAsTBHRlc3QxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbYIJAMJwWXsMGXqA
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAMwsKRdjQktL5Kg3FYTkz
sINfprk28yX68X8TDq4Ly7pJvKbAMexSro095+ki+EZaBMP8EIW3/Tu1RHlHmnQ5
rTwSGhfWbytffbuTvqmT6qvLUOUCk5nHhvZBJbrUnGVSrpQHTLtq9kcdS04tmfDA
RQbY/iN8OaYLXyAoJt/rJkI=
-----END CERTIFICATE-----
subject=/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
issuer=/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
---
No client certificate CA names sent
---
SSL handshake has read 1349 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
SSL3 alert write:warning:close notify
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read finished A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 02 Dec 2009 18:30:08 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 01 Dec 2009 18:20:06 GMT
ETag: "2a82d-6-ceb3c180"
Accept-Ranges: bytes
Content-Length: 6
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug

hello
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify
---
Certificate chain
0 s:/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
i:/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAnagAwIBAgIJAMJwWXsMGXqAMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV
BAYTAkpQMQ0wCwYDVQQIEwR0ZXN0MQ0wCwYDVQQHEwR0ZXN0MQ0wCwYDVQQKEwR0
ZXN0MQ0wCwYDVQQLEwR0ZXN0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcN
MDkxMjAyMTEyODMxWhcNMTAxMjAyMTEyODMxWjBjMQswCQYDVQQGEwJKUDENMAsG
A1UECBMEdGVzdDENMAsGA1UEBxMEdGVzdDENMAsGA1UEChMEdGVzdDENMAsGA1UE
CxMEdGVzdDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCxrGpZNmMmtIcg2uLE0yyotpickrJtgX/RxCIVHzeU0F3k
DT3QqvFqUFXo0RxXhZnKuyYfnZ0qnCbZ8sy60SL/+LGh1AGozsNYTlaCNz1EwkTq
TA0KwpzCn09v3p/VtXUrF9tGssuSLeQB/W1wbeIf0dCtjPn0zE01yco68wF6lQID
AQABo4HIMIHFMB0GA1UdDgQWBBRo75XE4Idmihu76PS8FN+vDs/bUzCBlQYDVR0j
BIGNMIGKgBRo75XE4Idmihu76PS8FN+vDs/bU6FnpGUwYzELMAkGA1UEBhMCSlAx
DTALBgNVBAgTBHRlc3QxDTALBgNVBAcTBHRlc3QxDTALBgNVBAoTBHRlc3QxDTAL
BgNVBAsTBHRlc3QxGDAWBgNVBAMTD3d3dy5leGFtcGxlLmNvbYIJAMJwWXsMGXqA
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAMwsKRdjQktL5Kg3FYTkz
sINfprk28yX68X8TDq4Ly7pJvKbAMexSro095+ki+EZaBMP8EIW3/Tu1RHlHmnQ5
rTwSGhfWbytffbuTvqmT6qvLUOUCk5nHhvZBJbrUnGVSrpQHTLtq9kcdS04tmfDA
RQbY/iN8OaYLXyAoJt/rJkI=
-----END CERTIFICATE-----
subject=/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
issuer=/C=JP/ST=test/L=test/O=test/OU=test/CN=www.example.com
---
No client certificate CA names sent
---
SSL handshake has read 489 bytes and written 379 bytes
---
Reused, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1888582FCDE7F3A1BF91074509A6C272854C1BDED9CDAA27A04D8F8CB7A688D9
Session-ID-ctx:
Master-Key: 096CF1F0DBC3053A523E538E67158482AFC7CA0C50EAC34B406E59FE8EE8A6484E01DC4D962D3DC1CBB66317984CF150
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1259778602
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
#