[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libressl
Subject:    Re: Bug with -CAfile in openssl s_client
From:       Kinichiro Inoguchi <kinichiro.inoguchi () gmail ! com>
Date:       2019-06-25 16:03:29
Message-ID: 20190625160329.GA45201 () gmail ! com
[Download RAW message or body]

Hi,

It appears that the first commit of your mail was not related to this,
since that was already applied to LibreSSL and OpenSSL 1.0.2, not only 1.1.1.

> I don't think so. We tested with OpenBSD 6.5 and I just verified by ktrace
> that openssl s_client also opens /etc/ssl/cert.pem even if -CAfile
> /etc/ssl/othercas.pem was given.

I tried to see this on OpenBSD 6.5 and found that OpenSSL 1.0.2 (eopenssl)
does the same behavior as LibreSSL.
(default cert.pem is used even if -CAfile is supplied)
And, OpenSSL 1.1.1 (eopenssl11) is different.

I thought this issue was the start point of changing s_client behavior.
https://github.com/openssl/openssl/issues/2374

And this commit has changed the s_client CAfile and CApath behavior.
https://github.com/openssl/openssl/commit/2b6bcb702d237171ec5217956a42c8dce031ea51

s_client of LibreSSL and OpenSSL 1.0.2 loads -CAfile or -CApath if declared,
then loads default certs in every time.

s_client of OpenSSL 1.1.1 doesn't load default certs if -CAfile or -CApath are
declared.

I think this was s_client specification change in 1.1.1 and not a bug.

Regards,
Kinichiro Inoguchi

[prev in list] [next in list] [prev in thread] [next in thread]