[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Wed Apr 25 09:56:12 UTC 2018
The branch OpenSSL_1_0_2-stable has been updated
via e77017b39c60ddbb4775e6b0d45a81fe7128caf7 (commit)
from 9668efbcf3b924f23320b58b8f44bbe8b9490e5e (commit)
- Log -----------------------------------------------------------------
commit e77017b39c60ddbb4775e6b0d45a81fe7128caf7
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 24 10:27:32 2018 +0100
Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.
Fixes #4933
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6069)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 2 +-
doc/apps/s_client.pod | 8 +++++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index c855668..9b09672 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -337,7 +337,7 @@ static void sc_usage(void)
BIO_printf(bio_err,
" -prexit - print session information even on connection failure\n");
BIO_printf(bio_err,
- " -showcerts - show all certificates in the chain\n");
+ " -showcerts - Show all certificates sent by the server\n");
BIO_printf(bio_err, " -debug - extra output\n");
#ifdef WATT32
BIO_printf(bio_err, " -wdebug - WATT-32 tcp debugging\n");
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index d2cad29..77cc071 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -141,8 +141,9 @@ pauses 1 second between each read and write call.
=item B<-showcerts>
-display the whole server certificate chain: normally only the server
-certificate itself is displayed.
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+B<not> a verified chain.
=item B<-prexit>
@@ -354,7 +355,8 @@ a client certificate. Therefor merely including a client certificate
on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the
-B<-showcerts> option can be used to show the whole chain.
+B<-showcerts> option can be used to show all the certificates sent by the
+server.
Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
More information about the openssl-commits
mailing list