Loading doc/apps/s_client.pod +13 −3 Original line number Diff line number Diff line Loading @@ -10,6 +10,7 @@ s_client - SSL/TLS client program B<openssl> B<s_client> [B<-connect host:port>] [B<-verify depth>] [B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] Loading Loading @@ -99,6 +100,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. =item B<-verify_return_error> Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. =item B<-CApath directory> The directory to use for server certificate verification. This directory Loading Loading @@ -332,6 +338,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. The B<s_client> utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test applications should B<not> do this as it makes them vulnerable to a MITM attack. This behaviour can be changed by with the B<-verify_return_error> option: any verify errors are then returned aborting the handshake. =head1 BUGS Because this program has a lot of options and also because some of Loading @@ -339,9 +352,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. The B<-verify> option should really exit if the server verification fails. The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated. Loading Loading
doc/apps/s_client.pod +13 −3 Original line number Diff line number Diff line Loading @@ -10,6 +10,7 @@ s_client - SSL/TLS client program B<openssl> B<s_client> [B<-connect host:port>] [B<-verify depth>] [B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] Loading Loading @@ -99,6 +100,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. =item B<-verify_return_error> Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. =item B<-CApath directory> The directory to use for server certificate verification. This directory Loading Loading @@ -332,6 +338,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. The B<s_client> utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test applications should B<not> do this as it makes them vulnerable to a MITM attack. This behaviour can be changed by with the B<-verify_return_error> option: any verify errors are then returned aborting the handshake. =head1 BUGS Because this program has a lot of options and also because some of Loading @@ -339,9 +352,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. The B<-verify> option should really exit if the server verification fails. The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated. Loading
