Hello Dave,
On Thu, Apr 24, 2014 at 12:24 PM, Dave Thompson <dthomp...@prinpay.com>wrote: > > From: owner-openssl-...@openssl.org On Behalf Of Dmitry Belyavsky via RT > > Sent: Wednesday, April 23, 2014 12:29 > > Cc: openssl-dev@openssl.org > > Subject: [openssl.org #3325] Problem with client certification > authorization > > > I've got a problem testing s_client/s_server authorization. > <snip> > > I expect that server will refuse connection because of invalid client > cert > > and required client certificate. > > > > I see the following error in stderr of the server: > <snip> > > verify error:num=7:certificate signature failure > <snip> > > but the server does not close the connection. > > What's wrong with my test? > > > Your expectations. Both s_client and s_server were designed as test/debug > tools. They set the certverify callback to display results but continue the > connection, not abort, in order to allow catching any other problems. > s_client does not abort if the server cert is invalid and s_server does > not abort > if the client cert is invalid. Although, if you 'require' client with > -Verify uppercase > on s_server and the client sends *no* cert it does abort. > > So whether there is a way to test that error in cert verification aborts the connection in case of bad cert using s_server/s_client pair? Thank you! -- SY, Dmitry Belyavsky
