Unable to display server certificate if certificate verification fails

Tue, 21 Oct 2008 04:34:40 -0700 

Dear Sir,
I am not sure that this is the correct place to post this, but I can find no official bug mailing list, and my searches of your archive do not reveal a solution to this issue. 

Issue:


The openssl s_client utility is unable to display the server certificate 
if the server certificate fails verification. Since the server 
certificate may be desired irrespective of the verification status it 
should be possible to display this certificate when verification fails.


Steps to reproduce:

OpenSSL version: 0.9.8g
Ubuntu version: 8.04
Kernel version: 2.6.24-21-generic

1) Open the command line
2) Enter the command 'openssl s_client -connect idp.nhc.ac.uk:8443'

Output is:
CONNECTED(00000003)
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify return:1

15150:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:s3_pkt.c:1053:SSL alert number 42
15150:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:



3) Enter the command 'openssl s_client -connect idp.nhc.ac.uk:8443 
-showcerts'


Output is:
CONNECTED(00000003)
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK
verify return:1

15169:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:s3_pkt.c:1053:SSL alert number 42
15169:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:


Expected results:

The certificate should be displayed even if verification fails.


This can be seen as a parallel of the behaviour of the verify program, 
which states:



"There is one crucial difference between the verify operations performed 
by the verify program: wherever possible an attempt is made to continue 
after an error whereas normally the verify operation would halt on the 
first error. This allows all the problems with a certificate chain to be 
determined."



In the same way, the s_client program should display the certificate 
even if an error occurs. This would allow verification that the server 
certificate is the expected certificate.


Regards,

--
Matthew Franglen
Software Developer

Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
t: +44 1273 358221
f: +44 1273 723232
e: [EMAIL PROTECTED]
w: www.semantico.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to