Durante il controllo del certificato di Google con OpenSSL ottengo
$ echo 'Q' | /usr/bin/openssl s_client -connect www.google.com:443 -servername www.google.com -verify 6 > /dev/null
verify depth is 6
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=27:certificate not trusted
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
DONE
Ho quindi estratto i certificati radice da Portachiavi
$ security find-certificate -a -p /Library/Keychains/System.keychain > cabundle.pem
$ security find-certificate -a \
-p /System/Library/Keychains/SystemRootCertificates.keychain >> cabundle.pem
e li ha forniti a OpenSSL con lo stesso risultato
$ echo 'Q' | /usr/bin/openssl s_client -connect www.google.com:443 \
-servername www.google.com -verify 6 -CAfile ./cabundle.pem > /dev/null
verify depth is 6
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=27:certificate not trusted
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority G2
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
DONE
Con MacPorts openssl o con lo stesso su una macchina Linux tutto funziona come previsto.
Mi mancano alcuni certificati radice?
Sto usando OpenSSL 0.9.8zh 14 gennaio 2016 su OS X El Capitan (10.11.5)