Timeline for Why openssl s_client verifies a cert against a mismatching CAfile?
Current License: CC BY-SA 4.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 31, 2020 at 8:40 | comment | added | Janaka Bandara | @takumar it seems that you can get -verify_return_error to work if you also specify -verify <depth> - the manpage says about -verify: "This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure." | |
| May 2, 2019 at 13:01 | comment | added | Arjan | In 2019, this still seems to be the case on macOS. Also, some systems might support -no-CAfile (Do not load the trusted CA certificates from the default file location) and -no-CApath (Do not load the trusted CA certificates from the default directory location), but my system does not, so I've not tested those. | |
| Jan 15, 2019 at 10:55 | history | edited | maxschlepzig | CC BY-SA 4.0 | add ubuntu 16/centos 7 notes |
| Jan 15, 2019 at 10:14 | comment | added | maxschlepzig | @takumar, I re-tested this under Ubuntu 16 with openssl 1.0.2g-1ubuntu4.14 and I can confirm, without the workaround this openssl test still fails. But at least with the workaround I get the expected error message - and with the workaround and -verify_return_error the command terminates with exit status 1. With Fedora 29 and openssl-1.1.1-3.fc29.x86_64 everything still works as expected, i.e. the workaround isn't necessary. | |
| Jan 15, 2019 at 9:31 | comment | added | Toluene | I have version 1.0.2g and it still has this bug. To make things worse, the -verify_return_error flag has no effect whatsoever and the TLS connection proceeds even if the cert is wrong. | |
| Jan 21, 2015 at 10:31 | vote | accept | maxschlepzig | ||
| Oct 19, 2014 at 23:00 | history | edited | maxschlepzig | CC BY-SA 3.0 | add more details and a workaround |
| Oct 19, 2014 at 15:30 | history | answered | maxschlepzig | CC BY-SA 3.0 |