Yeah, it's an SNI issue.
Sending SNI hostname:
[cloudshell-user@ip-10-1-146-204 ~]$ openssl11 s_client -connect stackoverflow.com:443 -servername stackoverflow.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.stackexchange.com
verify return:1
---
Certificate chain
0 s:CN = *.stackexchange.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Not sending SNI hostname:
[cloudshell-user@ip-10-1-146-204 ~]$ openssl11 s_client -connect stackoverflow.com:443 -noservername
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.stackexchange.com
verify error:num=10:certificate has expired
notAfter=Mar 3 14:00:52 2021 GMT
verify return:1
depth=0 CN = *.stackexchange.com
notAfter=Mar 3 14:00:52 2021 GMT
verify return:1
---
Certificate chain
0 s:CN = *.stackexchange.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
So, there are two problems:
- StackOverflow sends a wrong certificate chain when a client isn't using SNI.
- Your code should probably send the hostname you're trying to connect to using SNI.
SNI is pretty much supported by everything nowadays. I don't know offhand how to use openssl's C API to do so (I can barely work my way around the openssl command line), but I'm sure there's a way.