Using s_client to send additional (spurious) certificates
Andrew Lee-Thorp
aleethorp at hotmail.com
Tue Jul 9 14:48:31 UTC 2024
Hello,
Can s_client be used to send additional certificates (i.e. certificates that are not part of the chain for the current connection)
I am trying to do the following (pseudocode):
s_client -key myclient.key -cert myclient.cer -verifyCAfile expectedserverCA -connect server:port -fileAdditionalCertsToSend othercerts
The -fileAdditionalCertsToSend does not exist but I'd like to mimic this if possible.
The options -cert_chain and -build_chain don't seem to be what I want because I want s_client to send the additional certificates regardless, not attempt to build any chain using them.
-cert_chain
A file or URI of untrusted certificates to use when attempting to build the certificate chain related to the certificate specified via the -cert option. The input can be in PEM, DER, or PKCS#12 format.
-build_chain
Specify whether the application should build the client certificate chain to be provided to the server.
For additional context - the server is expecting the chain [client1,ca1] but the extended verification logic suggests I might be able to connect using [client2, ca2] - because of the way the server builds and validates a chain from the list of untrusted certs presented by the client.
My pseudo usage of s_client equates to:
s_client -key client2.key -cert client2.cer -verifyCAfile expectedserverCA -connect server:port -fileAdditionalCertsToSend [client1, ca1]
Kind regards
Andrew
More information about the openssl-users
mailing list