[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Wed Apr 25 09:54:24 UTC 2018 

The branch OpenSSL_1_1_0-stable has been updated
       via  fd749e2a0fde493216e0fd2896643badd0d875fe (commit)
      from  36ebf15d495d8c10163c04d0fd7348dbc445c609 (commit)


- Log -----------------------------------------------------------------
commit fd749e2a0fde493216e0fd2896643badd0d875fe
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Apr 24 10:27:32 2018 +0100

    Fix documentation for the -showcerts s_client option
    
    This option shows the certificates as sent by the server. It is not the
    full verified chain.
    
    Fixes #4933
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6068)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c       | 3 ++-
 doc/apps/s_client.pod | 8 +++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index fb89f0c..81669d0 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -593,7 +593,8 @@ OPTIONS s_client_options[] = {
      "Disable name checks when matching DANE-EE(3) TLSA records"},
     {"reconnect", OPT_RECONNECT, '-',
      "Drop and re-make the connection with the same Session-ID"},
-    {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"},
+    {"showcerts", OPT_SHOWCERTS, '-',
+     "Show all certificates sent by the server"},
     {"debug", OPT_DEBUG, '-', "Extra output"},
     {"msg", OPT_MSG, '-', "Show protocol messages"},
     {"msgfile", OPT_MSGFILE, '>',
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 01a6c5f..9f6c7ec 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -281,8 +281,9 @@ be used as a test that session caching is working.
 
 =item B<-showcerts>
 
-display the whole server certificate chain: normally only the server
-certificate itself is displayed.
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+B<not> a verified chain.
 
 =item B<-prexit>
 
@@ -579,7 +580,8 @@ a client certificate. Therefor merely including a client certificate
 on the command line is no guarantee that the certificate works.
 
 If there are problems verifying a server certificate then the
-B<-showcerts> option can be used to show the whole chain.
+B<-showcerts> option can be used to show all the certificates sent by the
+server.
 
 The B<s_client> utility is a test tool and is designed to continue the
 handshake after any certificate verification errors. As a result it will

More information about the openssl-commits mailing list