Re: openssl s_client options - Openssl
This is a discussion on Re: openssl s_client options - Openssl ; Hello,
> I try with the -verify option
> openssl s_client -connect localhost:8890 -CAfile trustees.pem -showcerts -state
> -ssl3 -msg -verify 10
>
> But still no SSL alerts sent even if it detects an error ... can you give ...
-
Re: openssl s_client options
Hello,
> I try with the -verify option
> openssl s_client -connect localhost:8890 -CAfile trustees.pem -showcerts -state
> -ssl3 -msg -verify 10
>
> But still no SSL alerts sent even if it detects an error ... can you give me the
> reason ?
Yes, indeed, when I try to setup server:
$ openssl s_server -key key.pem -cert crt.pem
and connect with client:
$ openssl s_client -verify 10
connection is established.
In s_client when you use "-verify 10" SSL_VERIFY_PEER flag is set which (according to documentation)
this means:
SSL_VERIFY_PEER
Server mode: the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification
process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The
behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
Client mode: the server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an
alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used,
SSL_VERIFY_PEER is ignored.
In my understanding this connection should be dropped, maybe this is a
bug ?
Best regards,
--
Marek Marcola
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
