What Does return:1 Mean in the openssl Output?
What Does return:1 Mean in the openssl Output?
https://serverfault.com/questions/747525/what-does-verify-return1-mean-in-the-openssl-output
Asked 9 years, 9 months ago Modified 9 years, 9 months ago Viewed 29k times 22
I don’t understand the openssl output. Running openssl as follows:
#openssl s_client -connect google.com:443 -CAfile cacert.pem < /dev/null
Ultimately all is well in that the end entity’s cert was verified OK: Verify return code: 0 (ok)
but what about w/the verify return:1 in the beginning of the output for the intermediates below? What does that mean or what is it’s point?
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com verify return:1
Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority —
openssl
Share Improve this question Follow asked Jan 8, 2016 at 0:42 jouell’s user avatar jouell 63911 gold badge66 silver badges2121 bronze badges Add a comment 1 Answer Sorted by: 22
The verify callback function (used to perform final verification of the applicability of the certificate for the particular use) is passed a field by SSL called the preverify_okay field that indicates whether the certificate chain passed the basic checks that apply to all cases. A 1 means these checks passed.
int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0).
This is what the verify return:1 is showing.
You can check the code if you want more details:
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { [ snip ] BIO_printf(bio_err,”verify return:%d\n”,ok); return(ok); }
Share Improve this answer Follow answered Jan 8, 2016 at 8:28