So, I'm not sure about that one. Apparently s_client ignores the error and completes the connection because it's intended to be used for debugging.
> Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.
I don't know what you think that pastebin shows, but that error is not specific to OS X or to ssl.apple.com. OpenSSL is failing to validate the server certificate because you forgot to specify the -CAfile option.
Oh wow, you're right, sorry. I saw the error code at the top, and missed the fact that it was reporting success anyway at the bottom. That's... pretty terrible.
> Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.
https://www.openssl.org/docs/apps/s_client.html
https://www.mail-archive.com/openssl-users@openssl.org/msg71...