From 89b378c4b34c70b60981e17ea385f14c9e285912 Mon Sep 17 00:00:00 2001 From: jkim Date: Tue, 8 Apr 2014 21:06:58 +0000 Subject: Merge OpenSSL 1.0.1g. Approved by: benl (maintainer) --- secure/usr.bin/openssl/man/s_client.1 | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'secure/usr.bin/openssl/man/s_client.1') diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 index 6f424fd..a190b49 100644 --- a/secure/usr.bin/openssl/man/s_client.1 +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "S_CLIENT 1" -.TH S_CLIENT 1 "2014-01-06" "1.0.1f" "OpenSSL" +.TH S_CLIENT 1 "2014-04-07" "1.0.1g" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -136,6 +136,7 @@ s_client \- SSL/TLS client program \&\fBopenssl\fR \fBs_client\fR [\fB\-connect host:port\fR] [\fB\-verify depth\fR] +[\fB\-verify_return_error\fR] [\fB\-cert filename\fR] [\fB\-certform DER|PEM\fR] [\fB\-key filename\fR] @@ -205,6 +206,10 @@ server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +.IP "\fB\-verify_return_error\fR" 4 +.IX Item "-verify_return_error" +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. .IP "\fB\-CApath directory\fR" 4 .IX Item "-CApath directory" The directory to use for server certificate verification. This directory @@ -372,6 +377,13 @@ If there are problems verifying a server certificate then the Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the \&\fB\-no_sslv2\fR option. +.PP +The \fBs_client\fR utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0 +attack. This behaviour can be changed by with the \fB\-verify_return_error\fR +option: any verify errors are then returned aborting the handshake. .SH "BUGS" .IX Header "BUGS" Because this program has a lot of options and also because some of @@ -379,9 +391,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical \&\s-1SSL\s0 client program would be much simpler. .PP -The \fB\-verify\fR option should really exit if the server verification -fails. -.PP The \fB\-prexit\fR option is a bit of a hack. We should really report information whenever a session is renegotiated. .SH "SEE ALSO" -- cgit v1.1