[openssl-users] s_client bug or expected behavior?
noloader at gmail.com
Thu Jul 9 13:31:29 UTC 2015
On Debian and Macports, the script below returns "Verify return code:
0 (ok)". Effectively, it claims Google's CA is certifying Microsoft
Some folks claim this is expected behavior. s_client(3) does not
discuss the expected behavior, so I'm not sure what should be
expected. (I thought expected behavior was to use a default Trust
Store if both -CApath and -CAfile was *not* specified; otherwise, only
use what was specified).
For the folks who claim its expected, I think their reasoning reduces
to "s_client has a trust store, and specifying -CAfile means Trust
Store + CAfile is used to verify the connection, rather than just
Is it expected behavior that s_client will effectively use Trust Store
+ CAfile (or Trust Store + CApath)?
(I'm happy to update s_client(3) man page to remove all ambiguity once
I know what the documented behavior is supposed to be).
Thanks in advance.
$ cat s_client-test.sh
openssl x509 -in GIAG2.crt -inform DER -out GIAG2.pem -outform PEM
# Intuitively, this should fail, but it does not.
openssl s_client -connect www.microsoft.com:443 -tls1 -servername
www.microsoft.com -CAfile GIAG2.pem
More information about the openssl-users