s_client bug or expected behavior?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Debian and Macports, the script below returns "Verify return code:
0 (ok)". Effectively, it claims Google's CA is certifying Microsoft
properties.

Some folks claim this is expected behavior. s_client(3) does not
discuss the expected behavior, so I'm not sure what should be
expected. (I thought expected behavior was to use a default Trust
Store if both -CApath and -CAfile was *not* specified; otherwise, only
use what was specified).

For the folks who claim its expected, I think their reasoning reduces
to "s_client has a trust store, and specifying -CAfile means Trust
Store + CAfile is used to verify the connection, rather than just
CAfile".

Is it expected behavior that s_client will effectively use Trust Store
+ CAfile (or Trust Store + CApath)?

(I'm happy to update s_client(3) man page to remove all ambiguity once
I know what the documented behavior is supposed to be).

Thanks in advance.

*****

$ cat s_client-test.sh
#!/bin/bash

wget https://pki.google.com/GIAG2.crt
openssl x509 -in GIAG2.crt -inform DER -out GIAG2.pem -outform PEM

# Intuitively, this should fail, but it does not.
openssl s_client -connect www.microsoft.com:443 -tls1 -servername
www.microsoft.com -CAfile GIAG2.pem


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux