summaryrefslogtreecommitdiffstats
path: root/secure/usr.bin/openssl/man/s_client.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/openssl/man/s_client.1')
-rw-r--r--secure/usr.bin/openssl/man/s_client.119
1 files changed, 14 insertions, 5 deletions
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 19db477..a190b49 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.23)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2013-02-11" "1.0.1e" "OpenSSL"
+.TH S_CLIENT 1 "2014-04-07" "1.0.1g" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -136,6 +136,7 @@ s_client \- SSL/TLS client program
\&\fBopenssl\fR \fBs_client\fR
[\fB\-connect host:port\fR]
[\fB\-verify depth\fR]
+[\fB\-verify_return_error\fR]
[\fB\-cert filename\fR]
[\fB\-certform DER|PEM\fR]
[\fB\-key filename\fR]
@@ -205,6 +206,10 @@ server certificate chain and turns on server certificate verification.
Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
+.IP "\fB\-verify_return_error\fR" 4
+.IX Item "-verify_return_error"
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
.IP "\fB\-CApath directory\fR" 4
.IX Item "-CApath directory"
The directory to use for server certificate verification. This directory
@@ -372,6 +377,13 @@ If there are problems verifying a server certificate then the
Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
\&\fB\-no_sslv2\fR option.
+.PP
+The \fBs_client\fR utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0
+attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
+option: any verify errors are then returned aborting the handshake.
.SH "BUGS"
.IX Header "BUGS"
Because this program has a lot of options and also because some of
@@ -379,9 +391,6 @@ the techniques used are rather old, the C source of s_client is rather
hard to read and not a model of how things should be done. A typical
\&\s-1SSL\s0 client program would be much simpler.
.PP
-The \fB\-verify\fR option should really exit if the server verification
-fails.
-.PP
The \fB\-prexit\fR option is a bit of a hack. We should really report
information whenever a session is renegotiated.
.SH "SEE ALSO"
OpenPOWER on IntegriCloud