Dear Sir,
I am not sure that this is the correct place to post this, but I can
find no official bug mailing list, and my searches of your archive do
not reveal a solution to this issue.
Issue:
The openssl s_client utility is unable to display the server certificate
if the server certificate fails verification. Since the server
certificate may be desired irrespective of the verification status it
should be possible to display this certificate when verification fails.
Steps to reproduce:
OpenSSL version: 0.9.8g
Ubuntu version: 8.04
Kernel version: 2.6.24-21-generic
1) Open the command line
2) Enter the command 'openssl s_client -connect idp.nhc.ac.uk:8443'
Output is:
CONNECTED(00000003)
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify return:1
15150:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1053:SSL alert number 42
15150:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
3) Enter the command 'openssl s_client -connect idp.nhc.ac.uk:8443
-showcerts'
Output is:
CONNECTED(00000003)
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify return:1
15169:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1053:SSL alert number 42
15169:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Expected results:
The certificate should be displayed even if verification fails.
This can be seen as a parallel of the behaviour of the verify program,
which states:
"There is one crucial difference between the verify operations performed
by the verify program: wherever possible an attempt is made to continue
after an error whereas normally the verify operation would halt on the
first error. This allows all the problems with a certificate chain to be
determined."
In the same way, the s_client program should display the certificate
even if an error occurs. This would allow verification that the server
certificate is the expected certificate.
Regards,
--
Matthew Franglen
Software Developer
Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
t: +44 1273 358221
f: +44 1273 723232
e: [EMAIL PROTECTED]
w: www.semantico.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]