Thank you Dave. My setup is:
Attacker Linux PC (Client)------ SSLFP-Firewall -------Victim Linux PC (Server) Here, Firewall supports SSL certificate caching, So just wanted to know whether certificate cached from firewall can be viewed in Client PC. This firewall is SSL Forward proxy. I think "-showcerts" in openssl shows the certificate which is cached right? Thanks, Sharan -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October 11, 2012 1:18 AM To: openssl-users@openssl.org Subject: RE: SSL Certificate cache > From: owner-openssl-us...@openssl.org On Behalf Of Sharanagoud B D > Sent: Tuesday, 09 October, 2012 06:25 > How to check in Linux client device whether the certificate used is > cached or it's from the server? I am using openssl s_client to > establish http connection. > By "the certificate used" do you mean the server's cert? That must always be sent by the server; even if the client has a copy already, the client does not know which one it is. (It is *not* required that the same server name, or address, always use the same key+cert, and some don't.) If you mean chain certs above entity and below root: - you can see what the server sends with -showcerts on s_client - s_client uses openssl's standard truststore, a file and/or directory in specified or default locations. You can look at that file and/or directory to see what certs are in it. - verification is the same either way; so it shouldn't matter, unless there are multiple certs for the same CA subject. Public CAs generally change subject for new generation etc., but sometimes reuse subject to lengthen validity of an existing subtree or provide an alternate (or just changed) trust path to a subtree. If the server sends the root cert for its cert, openssl client including s_client doesn't use it. openssl only trusts roots in its local truststore. OTOH if you mean a *client* cert -- used for client auth, which is rare -- s_client uses only a cert explicitly specified on the command line, and you know what you specified. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
