projects
/
openssl.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
997d1aa
)
Document -verify_return_error option.
author
Dr. Stephen Henson
<steve@openssl.org>
Mon, 7 Apr 2014 12:02:10 +0000
(13:02 +0100)
committer
Dr. Stephen Henson
<steve@openssl.org>
Mon, 7 Apr 2014 12:02:39 +0000
(13:02 +0100)
doc/apps/s_client.pod
patch
|
blob
|
history
diff --git
a/doc/apps/s_client.pod
b/doc/apps/s_client.pod
index 85e5b9cecb016a1eda145501f04460ddb4e0aae0..8964032cde212401418a1b6189003e669dddbef8 100644
(file)
--- a/
doc/apps/s_client.pod
+++ b/
doc/apps/s_client.pod
@@
-10,6
+10,7
@@
s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-connect host:port>]
[B<-verify depth>]
B<openssl> B<s_client>
[B<-connect host:port>]
[B<-verify depth>]
+[B<-verify_return_error>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key filename>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key filename>]
@@
-99,6
+100,11
@@
Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
=item B<-CApath directory>
The directory to use for server certificate verification. This directory
=item B<-CApath directory>
The directory to use for server certificate verification. This directory
@@
-332,6
+338,13
@@
Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
B<-no_sslv2> option.
these will only be supported if its use is disabled, for example by using the
B<-no_sslv2> option.
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
=head1 BUGS
Because this program has a lot of options and also because some of
=head1 BUGS
Because this program has a lot of options and also because some of
@@
-339,9
+352,6
@@
the techniques used are rather old, the C source of s_client is rather
hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler.
hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler.
-The B<-verify> option should really exit if the server verification
-fails.
-
The B<-prexit> option is a bit of a hack. We should really report
information whenever a session is renegotiated.
The B<-prexit> option is a bit of a hack. We should really report
information whenever a session is renegotiated.