[openssl.org #2173] [enhancement request] -showcerts option to always show certificates

Wed, 17 Feb 2010 10:04:01 -0800 

Hi,

I'm trying to diagnose a problem with a SSL server.  I'm using s_client to 
attempt to investigate further.  My initial investigation was to obtain the 
list of certificates the server is supplying.

>From reading the documentation, I had thought that the "showcerts" option 
would do this.  However, it seems that showcerts is ignored if the SSL 
handshake fails.

Here is the output with OpenSSL v0.9.8k (Debian package 0.9.8k-8) without 
specifying "showcerts" 

p...@zitpcx6184:~$ openssl s_client -connect grid-vomrs1.desy.de:8443
CONNECTED(00000003)
depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de
verify error:num=21:unable to verify the first certificate
verify return:1
21653:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:s3_pkt.c:1061:SSL alert number 42
21653:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:


Here's the output with the "-showcerts" option:

p...@zitpcx6184:~$ openssl s_client -showcerts -connect grid-
vomrs1.desy.de:8443
CONNECTED(00000003)
depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de
verify error:num=21:unable to verify the first certificate
verify return:1
21724:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:s3_pkt.c:1061:SSL alert number 42
21724:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

Note that adding the showcerts option generates no additional output and the 
server-supplied certificates are missing.

I would like the showcerts option to be honoured, even if the SSL handshake 
fails.  (This is either a bug-fix or a feature request, depending on what 
showcerts is supposed to do :-)

Cheers,

Paul.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to