[Pkg-openssl-devel] Bug#792490: openssl s_client doesn't allow for certificate pinning anymore!
Florent Daigniere
nextgens at freenetproject.org
Mon Sep 7 12:56:44 UTC 2015
On Mon, 2015-09-07 at 13:00 +0100, Ben Hutchings wrote:
>
> openssl s_client doesn't check the certificate's names either, and
> never has. It should only be used for debugging, not to make a
> secure
> tunnel. For secure tunnelling see the example in
> <https://www.decadent.org.uk/ben/blog/securing-git-imap-send-in
> -debian.html>
>
> Ben.
>
Agreed. The catch is that it's useless as a debugging tool too with the
new behaviour (see bug #792396). There's no indication whatsoever that
the system's CA path has been added to the certificate chain... and the
manual goes as far as suggesting that it isn't:
"
-CApath directory
The directory to use for server certificate verification. [...]
"
Florent
More information about the Pkg-openssl-devel
mailing list