[openssl-users] s_client/s_server trouble

Jakob Bohm jb-openssl at wisemo.com
Thu May 19 16:31:54 UTC 2016

On 19/05/2016 18:19, Viktor Dukhovni wrote:
> With 0.9.8 s_client or s_server will be able to use the default
> CApath that is probably hashed with the 0.9.8-compatible hash
> algorithm, allowing either or both to construct a more complete
> chain,
Indeed, I find it very confusing that specifying -CAfile
or -CApath to the various "apps" doesn't override the
default value of the other, causing various tests to trust
additional certificates not intended to be trusted by that

This hit me when I was trying to test yesterdays question
about the numbering of certificate depths in error messages,
as openssl verify kept accepting the test case despite
using a CAfile without the relevant root.  I had to pass
in a dummy (empty) -CApath to get the expected results.

Also, passing an empty file (such as /dev/null) for -CAfile
causes an error, forcing the use of an irrelevant certificate
file to trust an empty list of certificates.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list