Commit bdb59d97 authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix documentation for the -showcerts s_client option 



This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes #4933

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6067)
parent 4522e130

apps/s_client.c

+2 −1
Original line number Diff line number Diff line
@@ -637,7 +637,8 @@ const OPTIONS s_client_options[] = { 
     "Disable name checks when matching DANE-EE(3) TLSA records"},

    {"reconnect", OPT_RECONNECT, '-',

     "Drop and re-make the connection with the same Session-ID"},

    {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"},

    {"showcerts", OPT_SHOWCERTS, '-',

     "Show all certificates sent by the server"},

    {"debug", OPT_DEBUG, '-', "Extra output"},

    {"msg", OPT_MSG, '-', "Show protocol messages"},

    {"msgfile", OPT_MSGFILE, '>',

doc/man1/s_client.pod

+5 −3
Original line number Diff line number Diff line
@@ -333,8 +333,9 @@ be used as a test that session caching is working. 


=item B<-showcerts>



Display the whole server certificate chain: normally only the server

certificate itself is displayed.

Displays the server certificate list as sent by the server: it only consists of

certificates the server has sent (in the order the server has sent them). It is

B<not> a verified chain.



=item B<-prexit>
@@ -695,7 +696,8 @@ a client certificate. Therefor merely including a client certificate 
on the command line is no guarantee that the certificate works.



If there are problems verifying a server certificate then the

B<-showcerts> option can be used to show the whole chain.

B<-showcerts> option can be used to show all the certificates sent by the

server.



The B<s_client> utility is a test tool and is designed to continue the

handshake after any certificate verification errors. As a result it will