[openssl-users] Test SSL connection
Viktor Dukhovni
openssl-users at dukhovni.org
Wed May 30 21:08:16 UTC 2018
> On May 30, 2018, at 4:06 PM, Jordan Brown <openssl at jordan.maileater.net> wrote:
>
> And also: the certificate is unlikely to list an IP address, so it should fail hostname verification. You need to use a host name in your client connection request, not an IP address.
>
> (Pretty much, you don't ever want to use IP addresses in specifying TLS connections.)
True, but s_client does not do namechecks by default. You'd have
to request that behaviour with the "-verify_hostname" option. The
OP does not report doing that, so verification was likely limited
to just checking the trust chain.
A more complete invocation (with 1.1.0 or later) would be:
openssl s_client \
-connect $host:$port \
-CApath $capath \
-CAfile $cafile \
-verify $depth \
-servername $host \
-verify_hostname $host \
-verify_return_error
for suitable choices of $capath, $cafile, $depth, $host and $port
and in some cases additional desired options.
--
Viktor.
More information about the openssl-users
mailing list