The branch master has been updated
via bdb59d97a6a92498926ad8b3d5e166258339b447 (commit)
from 4522e130c87c341342c640bba970f4b89755f1cb (commit)
- Log -----------------------------------------------------------------
commit bdb59d97a6a92498926ad8b3d5e166258339b447
Author: Matt Caswell <m...@openssl.org>
Date: Tue Apr 24 10:27:32 2018 +0100
Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.
Fixes #4933
Reviewed-by: Rich Salz <rs...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6067)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 3 ++-
doc/man1/s_client.pod | 8 +++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index 89cddb3..9d463f6 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -637,7 +637,8 @@ const OPTIONS s_client_options[] = {
"Disable name checks when matching DANE-EE(3) TLSA records"},
{"reconnect", OPT_RECONNECT, '-',
"Drop and re-make the connection with the same Session-ID"},
- {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"},
+ {"showcerts", OPT_SHOWCERTS, '-',
+ "Show all certificates sent by the server"},
{"debug", OPT_DEBUG, '-', "Extra output"},
{"msg", OPT_MSG, '-', "Show protocol messages"},
{"msgfile", OPT_MSGFILE, '>',
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index a06d3a6..5d33e1c 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -333,8 +333,9 @@ be used as a test that session caching is working.
=item B<-showcerts>
-Display the whole server certificate chain: normally only the server
-certificate itself is displayed.
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+B<not> a verified chain.
=item B<-prexit>
@@ -695,7 +696,8 @@ a client certificate. Therefor merely including a client
certificate
on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the
-B<-showcerts> option can be used to show the whole chain.
+B<-showcerts> option can be used to show all the certificates sent by the
+server.
The B<s_client> utility is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
