summaryrefslogtreecommitdiff
path: root/doc/apps
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2014-04-07 13:02:10 +0100
committerDr. Stephen Henson <steve@openssl.org>2014-04-07 13:03:54 +0100
commita4896327e3e8c692438f0a85306f207b84b767f0 (patch)
treecd539214d2121fc0e2d157298d62448e782c60a5 /doc/apps
parentf396e9f4fc609d752eafffc155d4588cc4fffe94 (diff)
downloadopenssl-new-a4896327e3e8c692438f0a85306f207b84b767f0.tar.gz
Document -verify_return_error option.
(cherry picked from commit 4e6c12f3088d3ee5747ec9e16d03fc671b8f40be)
Diffstat (limited to 'doc/apps')
-rw-r--r--doc/apps/s_client.pod16
1 files changed, 13 insertions, 3 deletions
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index ab3547d321..c5c7f18d9d 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -10,6 +10,7 @@ s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-connect host:port>]
[B<-verify depth>]
+[B<-verify_return_error>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key filename>]
@@ -93,6 +94,11 @@ Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
=item B<-CApath directory>
The directory to use for server certificate verification. This directory
@@ -305,6 +311,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
B<-no_sslv2> option.
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
=head1 BUGS
Because this program has a lot of options and also because some of
@@ -312,9 +325,6 @@ the techniques used are rather old, the C source of s_client is rather
hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler.
-The B<-verify> option should really exit if the server verification
-fails.
-
The B<-prexit> option is a bit of a hack. We should really report
information whenever a session is renegotiated.