[openssl-users] s_client bug or expected behavior?

Jeffrey Walton noloader at gmail.com
Thu Jul 9 13:31:29 UTC 2015

On Debian and Macports, the script below returns "Verify return code:
0 (ok)". Effectively, it claims Google's CA is certifying Microsoft

Some folks claim this is expected behavior. s_client(3) does not
discuss the expected behavior, so I'm not sure what should be
expected. (I thought expected behavior was to use a default Trust
Store if both -CApath and -CAfile was *not* specified; otherwise, only
use what was specified).

For the folks who claim its expected, I think their reasoning reduces
to "s_client has a trust store, and specifying -CAfile means Trust
Store + CAfile is used to verify the connection, rather than just

Is it expected behavior that s_client will effectively use Trust Store
+ CAfile (or Trust Store + CApath)?

(I'm happy to update s_client(3) man page to remove all ambiguity once
I know what the documented behavior is supposed to be).

Thanks in advance.


$ cat s_client-test.sh

wget https://pki.google.com/GIAG2.crt
openssl x509 -in GIAG2.crt -inform DER -out GIAG2.pem -outform PEM

# Intuitively, this should fail, but it does not.
openssl s_client -connect www.microsoft.com:443 -tls1 -servername
www.microsoft.com -CAfile GIAG2.pem

More information about the openssl-users mailing list