On Debian and Macports, the script below returns "Verify return code: 0 (ok)". Effectively, it claims Google's CA is certifying Microsoft properties. Some folks claim this is expected behavior. s_client(3) does not discuss the expected behavior, so I'm not sure what should be expected. (I thought expected behavior was to use a default Trust Store if both -CApath and -CAfile was *not* specified; otherwise, only use what was specified). For the folks who claim its expected, I think their reasoning reduces to "s_client has a trust store, and specifying -CAfile means Trust Store + CAfile is used to verify the connection, rather than just CAfile". Is it expected behavior that s_client will effectively use Trust Store + CAfile (or Trust Store + CApath)? (I'm happy to update s_client(3) man page to remove all ambiguity once I know what the documented behavior is supposed to be). Thanks in advance. ***** $ cat s_client-test.sh #!/bin/bash wget https://pki.google.com/GIAG2.crt openssl x509 -in GIAG2.crt -inform DER -out GIAG2.pem -outform PEM # Intuitively, this should fail, but it does not. openssl s_client -connect www.microsoft.com:443 -tls1 -servername www.microsoft.com -CAfile GIAG2.pem
