[openssl-users] Test SSL connection

Viktor Dukhovni openssl-users at dukhovni.org
Wed May 30 21:08:16 UTC 2018



> On May 30, 2018, at 4:06 PM, Jordan Brown <openssl at jordan.maileater.net> wrote:
> 
> And also:  the certificate is unlikely to list an IP address, so it should fail hostname verification.  You need to use a host name in your client connection request, not an IP address.
> 
> (Pretty much, you don't ever want to use IP addresses in specifying TLS connections.)

True, but s_client does not do namechecks by default.  You'd have
to request that behaviour with the "-verify_hostname" option.  The
OP does not report doing that, so verification was likely limited
to just checking the trust chain.

A more complete invocation (with 1.1.0 or later) would be:

  openssl s_client \
	-connect $host:$port \
	-CApath $capath \
	-CAfile $cafile \
	-verify $depth \
	-servername $host \
	-verify_hostname $host \
        -verify_return_error

for suitable choices of $capath, $cafile, $depth, $host and $port
and in some cases additional desired options.

-- 
	Viktor.



More information about the openssl-users mailing list