The example given returns the same result for me on an up to date maverick system. I think the problem is just a misleading error message bubbling up from openssl. s_client does give an error about the self signed cert:
verify error:num=19:self signed certificate in certificate chain
Full log:
clint@ubuntu:~$ openssl s_client -host cas.ucdavis.edu -port 443
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAmWgAwIBAgIDCiCtMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDgxMTA2MjMwNDQ2WhcNMTEwMTA2MjMwNDQ2
WjCBhjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExDjAMBgNVBAcT
BURhdmlzMScwJQYDVQQKEx5Vbml2ZXJzaXR5IG9mIENhbGlmb3JuaWEgRGF2aXMx
DzANBgNVBAsTBklFVC1JUjEYMBYGA1UEAxMPY2FzLnVjZGF2aXMuZWR1MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRT3t20tSOMW9sC+WYk8csHzV6JK+aMGd8
m9NDQtK3bb5STyp1AfuovU2tGKv1YD5HCIs1BzDbbN+XJIrU+zSAdrVdHKp62ZKy
AWTFfwfQ0VWvBz8iKzWVpfiRutUC+RqodMBQ3DqM0YU4RX6cz9L5QFi+hQsCQ+Ha
lKzseuEJnQIDAQABo4GuMIGrMA4GA1UdDwEB/wQEAwIE8DAdBgNVHQ4EFgQUZoEl
UbQzpXvJyk5JVUGmVQu5Ka0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5n
ZW90cnVzdC5jb20vY3Jscy9zZWN1cmVjYS5jcmwwHwYDVR0jBBgwFoAUSOZo+SvS
spXXR9gjIBBPM5iQn9QwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G
CSqGSIb3DQEBBQUAA4GBADhAlAHFmemcwilbfWfu2//Os58jzJNCBFPNpS0d+tg4
AQTgR4Ogs7ljbJeo4+2eEnGvLHvPy1El8JkKRexwVhQSymz60Bnkg0oiQ6qIYwML
r5Gfk+liSBpexjZkPp+olFO8u/d+UlW6ZPfI5RTyz5e+InrETFyjgoIJY3y3SnFQ
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Davis/O=University of California Davis/OU=IET-IR/CN=cas.ucdavis.edu
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2147 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4C116AFE454ACEE059BF6889329DDEB55963208CB0353EBCB8F2774B3B1A92A5
Session-ID-ctx:
Master-Key: B7D3BB1CA375E594F0E82EE8EB4CD3FAD33B17E96BFFCD34DDF95AA02EBE439C2ED9E0216F96E2205E35237610A50869
Key-Arg : None
Start Time: 1276209918
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
HEAD / HTTP/1.0
Host: cas.ucdavis.edu
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: https://cas.ucdavis.edu/login
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Thu, 10 Jun 2010 22:45:34 GMT
Connection: close
The example given returns the same result for me on an up to date maverick system. I think the problem is just a misleading error message bubbling up from openssl. s_client does give an error about the self signed cert:
verify error:num=19:self signed certificate in certificate chain
Full log:
clint@ubuntu:~$ openssl s_client -host cas.ucdavis.edu -port 443 Equifax/ OU=Equifax Secure Certificate Authority ST=California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu US/O=Equifax/ OU=Equifax Secure Certificate Authority O=Equifax/ OU=Equifax Secure Certificate Authority US/O=Equifax/ OU=Equifax Secure Certificate Authority BAgIDCiCtMA0GCS qGSIb3DQEBBQUAM E4xCzAJBgNVBAYT AlVT FcXVpZmF4MS0wKw YDVQQLEyRFcXVpZ mF4IFNlY3VyZSBD ZXJ0 ob3JpdHkwHhcNMD gxMTA2MjMwNDQ2W hcNMTEwMTA2MjMw NDQ2 EBhMCVVMxEzARBg NVBAgTCkNhbGlmb 3JuaWExDjAMBgNV BAcT DVQQKEx5Vbml2ZX JzaXR5IG9mIENhb Glmb3JuaWEgRGF2 aXMx FVC1JUjEYMBYGA1 UEAxMPY2FzLnVjZ GF2aXMuZWR1MIGf MA0G AA4GNADCBiQKBgQ DRT3t20tSOMW9sC +WYk8csHzV6JK+ aMGd8 1AfuovU2tGKv1YD 5HCIs1BzDbbN+ XJIrU+zSAdrVdHK p62ZKy iKzWVpfiRutUC+ RqodMBQ3DqM0YU4 RX6cz9L5QFi+ hQsCQ+Ha Bo4GuMIGrMA4GA1 UdDwEB/ wQEAwIE8DAdBgNV HQ4EFgQUZoEl mVQu5Ka0wOgYDVR 0fBDMwMTAvoC2gK 4YpaHR0cDovL2Ny bC5n vY3Jscy9zZWN1cm VjYS5jcmwwHwYDV R0jBBgwFoAUSOZo +SvS Qn9QwHQYDVR0lBB YwFAYIKwYBBQUHA wEGCCsGAQUFBwMC MA0G AA4GBADhAlAHFme mcwilbfWfu2/ /Os58jzJNCBFPNp S0d+tg4 o4+2eEnGvLHvPy1 El8JkKRexwVhQSy mz60Bnkg0oiQ6qI YwML kPp+olFO8u/ d+UlW6ZPfI5RTyz 5e+InrETFyjgoIJ Y3y3SnFQ /C=US/ST= California/ L=Davis/ O=University of California Davis/OU= IET-IR/ CN=cas. ucdavis. edu /C=US/O= Equifax/ OU=Equifax Secure Certificate Authority DES-CBC3- SHA DES-CBC3- SHA 059BF6889329DDE B55963208CB0353 EBCB8F2774B3B1A 92A5 4F0E82EE8EB4CD3 FAD33B17E96BFFC D34DDF95AA02EBE 439C2ED9E0216F9 6E2205E35237610 A50869
CONNECTED(00000003)
depth=1 /C=US/O=
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/
i:/C=
1 s:/C=US/
i:/C=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAmWgAwI
MRAwDgYDVQQKEwd
aWZpY2F0ZSBBdXR
WjCBhjELMAkGA1U
BURhdmlzMScwJQY
DzANBgNVBAsTBkl
CSqGSIb3DQEBAQU
m9NDQtK3bb5STyp
AWTFfwfQ0VWvBz8
lKzseuEJnQIDAQA
UbQzpXvJyk5JVUG
ZW90cnVzdC5jb20
spXXR9gjIBBPM5i
CSqGSIb3DQEBBQU
AQTgR4Ogs7ljbJe
r5Gfk+liSBpexjZ
-----END CERTIFICATE-----
subject=
issuer=
---
No client certificate CA names sent
---
SSL handshake has read 2147 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-
Session-ID: 4C116AFE454ACEE
Session-ID-ctx:
Master-Key: B7D3BB1CA375E59
Key-Arg : None
Start Time: 1276209918
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
HEAD / HTTP/1.0
Host: cas.ucdavis.edu
HTTP/1.1 302 Moved Temporarily /cas.ucdavis. edu/login charset= ISO-8859- 1
Server: Apache-Coyote/1.1
Location: https:/
Content-Type: text/html;
Content-Length: 0
Date: Thu, 10 Jun 2010 22:45:34 GMT
Connection: close
closed
clint@ubuntu:~$