I installed openSSL openssl-1.0.2e-i386-win32 on Win7 Pro 32bit with these instructions: Installing OpenSSL in Windows 8.1.
I tested it with this:
C:ProgramsOpenSSL-Win32bin>openssl version
OpenSSL 1.0.2e 3 Dec 2015
I’m getting an error saying Verify return code: 20 (unable to get local issuer certificate)
.
C:ProgramsOpenSSL-Win32bin>openssl s_client -connect www.openssl.org:443
CONNECTED(00000180)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.openssl.org
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgISESHQqr5sLPE1xTXWmA7ABqljMA0GCSqGSIb3DQEBCwUA
MGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYD
VQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTQxMDA5MjAyOTAwWhcNMTcxMTEyMTcxNDA1WjA7MSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFjAUBgNVBAMMDSoub3BlbnNzbC5vcmcw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkfg71ZYW6VtWDbDEmAfDw
CAKVJ260FAP6gANjS8eO+0drZe6MexIA5htR/sYhG8PIsJnKBuxiQ9KwMbRwLxBU
HcuBACT3MNif1DsFWuNCMFsTDPrfJzLOgoPo+4lQ0QYARwMJhxelA0P9rcTwBACY
6QRZgfAJ5iezz69GJkmrDGZIUoAR+PFF7xR/rzFaBMH7gbok0UJRKFPxO5fyiSfc
ZvSmMV/AZcUGVmxE9HLBQ6QCTbAdGAdVlHHxFPVb9Of9Ze/KJg8VIwFl5Hw+RQCj
+OjtBPkSwNQ9r0Bwc2c7uRnRpojERHxlo7Tn8uJ+LYcCkWcaVc8+JbjF78F8E417
AgMBAAGjggHMMIIByDAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+BgZngQwB
AgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVw
b3NpdG9yeS8wJQYDVR0RBB4wHIINKi5vcGVuc3NsLm9yZ4ILb3BlbnNzbC5vcmcw
CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0f
BDwwOjA4oDagNIYyaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc2RvbWFp
bnZhbHNoYTJnMi5jcmwwgZQGCCsGAQUFBwEBBIGHMIGEMEcGCCsGAQUFBzAChjto
dHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZhbHNo
YTJnMnIxLmNydDA5BggrBgEFBQcwAYYtaHR0cDovL29jc3AyLmdsb2JhbHNpZ24u
Y29tL2dzZG9tYWludmFsc2hhMmcyMB0GA1UdDgQWBBQPVUooul4mMU0KrqGTBtQ6
ZtRofjAfBgNVHSMEGDAWgBTqTnzUgC3lFYGGJoyCbcCYpM+XDzANBgkqhkiG9w0B
AQsFAAOCAQEAiJDoinZmR2M9Zlap1DM9WOHgwIMot154eNPZyf27rYxv9kekdTAp
9fesfBScMzq9NCyzy8rtWxMCPyhpCXh9iibkC3Yon+sj/gZSrNNh2nfeKhuroBxi
alaGRjg1WHNKx4Wc5dGm+chJCZFWOk1NzB8JZQQcSNt3IFyDWSScEGXwiVe1VbUa
tYIohSiWzvFMEfj7YoXt6tihYqEJG42jBg7MhaUtI4rUSDC5LB20Zhv0OG5CRORj
Wg8Iz2SUXkH8F1RJo+kMbCC/DFeII/ZTrF+B7qRVvLkctlLcukylqvsE1vibozQb
0A8/RZkfkqobqnkLnYeLUSCWNx/AHm8L5w==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.openssl.org
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3094 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2FD38B8D2C8B19A1147EF4EAE05ADCD4EEA173A4AC5DB099EC2068B8C410C447
Session-ID-ctx:
Master-Key: DC29698D8DF1353C367B59E1A5C2ECFF701F008CB0AF065E2645F549DF3C6C2181C75EEB23528B552BD7974F6607EAC4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 34 17 31 4f 0b 41 66 b3-72 19 aa 32 4c ab dd 2b 4.1O.Af.r..2L..+
0010 - 75 d5 2a 39 5a 83 49 09-8b fb 9a 19 a6 8e d5 cc u.*9Z.I.........
0020 - 92 b6 99 2e e3 4e 7a 48-80 bc a9 ef 76 42 ac 80 .....NzH....vB..
0030 - df 8c e2 4c 26 7a 1c 01-0f e1 6e 58 84 77 55 0c ...L&z....nX.wU.
0040 - b3 ce 21 ed 87 04 03 79-04 99 4d 4a 72 ac db 99 ..!....y..MJr...
0050 - f6 d0 e2 06 f5 6c 27 f2-5b f2 5d 2a b7 be b8 cf .....l'.[.]*....
0060 - ec 05 18 e8 a2 ed a8 5a-8a 53 50 0f 60 dc ce 35 .......Z.SP.`..5
0070 - c8 f6 ec 49 eb 42 46 0a-b8 82 33 28 10 63 d0 9f ...I.BF...3(.c..
0080 - e3 a7 00 db 23 ed c2 1a-46 06 63 58 91 88 b6 e1 ....#...F.cX....
0090 - a2 30 93 22 31 1c b6 43-a9 a7 5e 06 bf ad 0a 99 .0."1..C..^.....
00a0 - 84 ef 63 3f f5 eb 18 bc-88 f4 04 2f d2 4a bf 2c ..c?......./.J.,
00b0 - 62 ad 3e 4f 44 84 7b 87-b0 96 9e d0 19 ed 26 5d b.>OD.{.......&]
Start Time: 1451515804
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
It sounded like I don’t have the certificate on my machine so I went to download the certificate at:
https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates
I selected SHA-256 Orders (Default)
I got a message saying:
“This certificate is already installed as a certificate authority”
So I ran a test with this:
C:ProgramsOpenSSL-Win32bin>openssl s_client -CAfile GlobalSign Domain Validation CA - SHA256 - G2
unknown option Domain
usage: s_client args
-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify_host host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
-verify arg - turn on peer certificate verification
-verify_return_error - return verification errors
-cert arg - certificate file to use, PEM format assumed
-certform arg - certificate format (PEM or DER) PEM default
-key arg - Private key file to use, in cert file if
not specified but cert file is.
-keyform arg - key format (PEM or DER) PEM default
-pass arg - private key file pass phrase source
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-no_alt_chains - only ever use the first certificate chain found
-reconnect - Drop and re-make the connection with the same Session-ID
-pause - sleep(1) after each read(2) and write(2) system call
-prexit - print session information even on connection failure
-showcerts - show all certificates in the chain
-debug - extra output
-msg - Show protocol messages
-nbio_test - more ssl protocol testing
-state - print the 'ssl' states
-nbio - Run with non-blocking IO
-crlf - convert LF from terminal into CRLF
-quiet - no s_client output
-ign_eof - ignore input eof (default when -quiet)
-no_ign_eof - don't ignore input eof
-psk_identity arg - PSK identity
-psk arg - PSK in hex (without 0x)
-srpuser user - SRP authentification for 'user'
-srppass arg - password for 'user'
-srp_lateuser - SRP username into second ClientHello message
-srp_moregroups - Tolerate other than the known g N values.
-srp_strength int - minimal length in bits for N (default 1024).
-ssl2 - just use SSLv2
-ssl3 - just use SSLv3
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
-dtls1 - just use DTLSv1
-fallback_scsv - send TLS_FALLBACK_SCSV
-mtu - set the link layer MTU
-no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
-bugs - Switch on all SSL implementation bug workarounds
-serverpref - Use server's cipher preferences (only SSLv2)
-cipher - preferred cipher to use, use the 'openssl ciphers'
command to see what is available
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
-engine id - Initialise and use the specified engine
-rand file;file;...
-sess_out arg - file to write SSL session to
-sess_in arg - file to read SSL session from
-servername host - Set TLS extension servername in ClientHello
-tlsextdebug - hex dump of all TLS extensions received
-status - request certificate status from server
-no_ticket - disable use of RFC4507bis session tickets
-serverinfo types - send empty ClientHello extensions (comma-separated numbers)
-curves arg - Elliptic curves to advertise (colon-separated list)
-sigalgs arg - Signature algorithms to support (colon-separated list)
-client_sigalgs arg - Signature algorithms to support for client
certificate authentication (colon-separated list)
-nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
-alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)
-legacy_renegotiation - enable use of legacy renegotiation (dangerous)
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list
-keymatexport label - Export keying material using label
-keymatexportlen len - Export len bytes of keying material (default 20)
What am I doing wrong?
Thank you.
Your first error is – you need a certificate file. Or at least path to them, so that you can verify the OpenSSL.org certificate.
Your second error – you don’t specify a file and
-CAfile
requires a single certificate (PEM or DER encoded).The easiest way to perform connection with OpenSSL.org:
Download mozilla certificate bundle from here: http://curl.haxx.se/docs/caextract.html
Run
openssl s_client -connect www.openssl.org:443 -CAfile .cabundle.crt
and you should have a nice return code 0.