So, I'm not sure about that one. Apparently s_client ignores the error and completes the connection because it's intended to be used for debugging.
> Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.
> Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.
https://www.openssl.org/docs/apps/s_client.html
https://www.mail-archive.com/openssl-users@openssl.org/msg71...