mirror of
https://github.com/openssl/openssl.git
synced 2024-12-16 05:23:50 +08:00
Document -verify_return_error option.
This commit is contained in:
parent
997d1aac7c
commit
4e6c12f308
@ -10,6 +10,7 @@ s_client - SSL/TLS client program
|
||||
B<openssl> B<s_client>
|
||||
[B<-connect host:port>]
|
||||
[B<-verify depth>]
|
||||
[B<-verify_return_error>]
|
||||
[B<-cert filename>]
|
||||
[B<-certform DER|PEM>]
|
||||
[B<-key filename>]
|
||||
@ -99,6 +100,11 @@ Currently the verify operation continues after errors so all the problems
|
||||
with a certificate chain can be seen. As a side effect the connection
|
||||
will never fail due to a server certificate verify failure.
|
||||
|
||||
=item B<-verify_return_error>
|
||||
|
||||
Return verification errors instead of continuing. This will typically
|
||||
abort the handshake with a fatal error.
|
||||
|
||||
=item B<-CApath directory>
|
||||
|
||||
The directory to use for server certificate verification. This directory
|
||||
@ -332,6 +338,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
|
||||
these will only be supported if its use is disabled, for example by using the
|
||||
B<-no_sslv2> option.
|
||||
|
||||
The B<s_client> utility is a test tool and is designed to continue the
|
||||
handshake after any certificate verification errors. As a result it will
|
||||
accept any certificate chain (trusted or not) sent by the peer. None test
|
||||
applications should B<not> do this as it makes them vulnerable to a MITM
|
||||
attack. This behaviour can be changed by with the B<-verify_return_error>
|
||||
option: any verify errors are then returned aborting the handshake.
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
Because this program has a lot of options and also because some of
|
||||
@ -339,9 +352,6 @@ the techniques used are rather old, the C source of s_client is rather
|
||||
hard to read and not a model of how things should be done. A typical
|
||||
SSL client program would be much simpler.
|
||||
|
||||
The B<-verify> option should really exit if the server verification
|
||||
fails.
|
||||
|
||||
The B<-prexit> option is a bit of a hack. We should really report
|
||||
information whenever a session is renegotiated.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user