Hello Kees,
probably not a security issue, but take a look at the behaviour of:
openssl s_client -connect www.google.com:443 -CApath /tmp | grep 'return
code'
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
verify return:1
Verify return code: 0 (ok)
I am passing a totally bogus CApath and its not throwing any warning or
error.
Is that really the expected behaviour?
Thanks
--
openssl s_client doesn't look into the CAPath unless specified
https://bugs.launchpad.net/bugs/396818
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
