diff options
author | jkim <jkim@FreeBSD.org> | 2014-04-08 21:06:58 +0000 |
---|---|---|
committer | jkim <jkim@FreeBSD.org> | 2014-04-08 21:06:58 +0000 |
commit | 89b378c4b34c70b60981e17ea385f14c9e285912 (patch) | |
tree | 782ade2dc94388e4ddc56b20d9c7ccf578d61077 /crypto/openssl/doc/apps/s_client.pod | |
parent | 808e531530813c805e5f01db2b51e22340fd77a6 (diff) | |
download | FreeBSD-src-89b378c4b34c70b60981e17ea385f14c9e285912.zip FreeBSD-src-89b378c4b34c70b60981e17ea385f14c9e285912.tar.gz |
Merge OpenSSL 1.0.1g.
Approved by: benl (maintainer)
Diffstat (limited to 'crypto/openssl/doc/apps/s_client.pod')
-rw-r--r-- | crypto/openssl/doc/apps/s_client.pod | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index 4ebf7b5..3215b2e 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -10,6 +10,7 @@ s_client - SSL/TLS client program B<openssl> B<s_client> [B<-connect host:port>] [B<-verify depth>] +[B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] @@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +=item B<-verify_return_error> + +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. + =item B<-CApath directory> The directory to use for server certificate verification. This directory @@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. +The B<s_client> utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should B<not> do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the B<-verify_return_error> +option: any verify errors are then returned aborting the handshake. + =head1 BUGS Because this program has a lot of options and also because some of @@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. -The B<-verify> option should really exit if the server verification -fails. - The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated. |