Using s_client to send additional (spurious) certificates

Andrew Lee-Thorp aleethorp at hotmail.com
Tue Jul 9 14:48:31 UTC 2024


Hello,

Can s_client be used to send additional certificates (i.e. certificates that are not part of the chain for the current connection)

I am trying to do the following (pseudocode):

s_client -key myclient.key -cert myclient.cer -verifyCAfile expectedserverCA -connect server:port -fileAdditionalCertsToSend othercerts

The -fileAdditionalCertsToSend does not exist but I'd like to mimic this if possible.

The options -cert_chain and -build_chain don't seem to be what I want because I want s_client to send the additional certificates regardless, not attempt to build any chain using them.

-cert_chain
A file or URI of untrusted certificates to use when attempting to build the certificate chain related to the certificate specified via the -cert option. The input can be in PEM, DER, or PKCS#12 format.

-build_chain
Specify whether the application should build the client certificate chain to be provided to the server.

For additional context - the server is expecting the chain [client1,ca1] but the extended verification logic suggests I might be able to connect using [client2, ca2] - because of the way the server builds and validates a chain from the list of untrusted certs presented by the client.
 
My pseudo usage of s_client equates to:

s_client -key client2.key -cert client2.cer -verifyCAfile expectedserverCA -connect server:port -fileAdditionalCertsToSend [client1, ca1]

Kind regards
Andrew


More information about the openssl-users mailing list