[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Wed Apr 25 09:56:12 UTC 2018

The branch OpenSSL_1_0_2-stable has been updated
       via  e77017b39c60ddbb4775e6b0d45a81fe7128caf7 (commit)
      from  9668efbcf3b924f23320b58b8f44bbe8b9490e5e (commit)

- Log -----------------------------------------------------------------
commit e77017b39c60ddbb4775e6b0d45a81fe7128caf7
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Apr 24 10:27:32 2018 +0100

    Fix documentation for the -showcerts s_client option
    This option shows the certificates as sent by the server. It is not the
    full verified chain.
    Fixes #4933
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6069)


Summary of changes:
 apps/s_client.c       | 2 +-
 doc/apps/s_client.pod | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index c855668..9b09672 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -337,7 +337,7 @@ static void sc_usage(void)
                " -prexit       - print session information even on connection failure\n");
-               " -showcerts    - show all certificates in the chain\n");
+               " -showcerts    - Show all certificates sent by the server\n");
     BIO_printf(bio_err, " -debug        - extra output\n");
 #ifdef WATT32
     BIO_printf(bio_err, " -wdebug       - WATT-32 tcp debugging\n");
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index d2cad29..77cc071 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -141,8 +141,9 @@ pauses 1 second between each read and write call.
 =item B<-showcerts>
-display the whole server certificate chain: normally only the server
-certificate itself is displayed.
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+B<not> a verified chain.
 =item B<-prexit>
@@ -354,7 +355,8 @@ a client certificate. Therefor merely including a client certificate
 on the command line is no guarantee that the certificate works.
 If there are problems verifying a server certificate then the
-B<-showcerts> option can be used to show the whole chain.
+B<-showcerts> option can be used to show all the certificates sent by the
 Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the

More information about the openssl-commits mailing list