[prev in list] [next in list] [prev in thread] [next in thread]
List: libressl
Subject: Re: Bug with -CAfile in openssl s_client
From: Kinichiro Inoguchi <kinichiro.inoguchi () gmail ! com>
Date: 2019-06-25 16:03:29
Message-ID: 20190625160329.GA45201 () gmail ! com
[Download RAW message or body]
Hi,
It appears that the first commit of your mail was not related to this,
since that was already applied to LibreSSL and OpenSSL 1.0.2, not only 1.1.1.
> I don't think so. We tested with OpenBSD 6.5 and I just verified by ktrace
> that openssl s_client also opens /etc/ssl/cert.pem even if -CAfile
> /etc/ssl/othercas.pem was given.
I tried to see this on OpenBSD 6.5 and found that OpenSSL 1.0.2 (eopenssl)
does the same behavior as LibreSSL.
(default cert.pem is used even if -CAfile is supplied)
And, OpenSSL 1.1.1 (eopenssl11) is different.
I thought this issue was the start point of changing s_client behavior.
https://github.com/openssl/openssl/issues/2374
And this commit has changed the s_client CAfile and CApath behavior.
https://github.com/openssl/openssl/commit/2b6bcb702d237171ec5217956a42c8dce031ea51
s_client of LibreSSL and OpenSSL 1.0.2 loads -CAfile or -CApath if declared,
then loads default certs in every time.
s_client of OpenSSL 1.1.1 doesn't load default certs if -CAfile or -CApath are
declared.
I think this was s_client specification change in 1.1.1 and not a bug.
Regards,
Kinichiro Inoguchi
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic