[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Wed, 25 Apr 2018 02:56:45 -0700 

The branch OpenSSL_1_0_2-stable has been updated
       via  e77017b39c60ddbb4775e6b0d45a81fe7128caf7 (commit)
      from  9668efbcf3b924f23320b58b8f44bbe8b9490e5e (commit)


- Log -----------------------------------------------------------------
commit e77017b39c60ddbb4775e6b0d45a81fe7128caf7
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Apr 24 10:27:32 2018 +0100

    Fix documentation for the -showcerts s_client option
    
    This option shows the certificates as sent by the server. It is not the
    full verified chain.
    
    Fixes #4933
    
    Reviewed-by: Rich Salz <rs...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6069)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c       | 2 +-
 doc/apps/s_client.pod | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index c855668..9b09672 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -337,7 +337,7 @@ static void sc_usage(void)
     BIO_printf(bio_err,
                " -prexit       - print session information even on connection 
failure\n");
     BIO_printf(bio_err,
-               " -showcerts    - show all certificates in the chain\n");
+               " -showcerts    - Show all certificates sent by the server\n");
     BIO_printf(bio_err, " -debug        - extra output\n");
 #ifdef WATT32
     BIO_printf(bio_err, " -wdebug       - WATT-32 tcp debugging\n");
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index d2cad29..77cc071 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -141,8 +141,9 @@ pauses 1 second between each read and write call.
 
 =item B<-showcerts>
 
-display the whole server certificate chain: normally only the server
-certificate itself is displayed.
+Displays the server certificate list as sent by the server: it only consists of
+certificates the server has sent (in the order the server has sent them). It is
+B<not> a verified chain.
 
 =item B<-prexit>
 
@@ -354,7 +355,8 @@ a client certificate. Therefor merely including a client 
certificate
 on the command line is no guarantee that the certificate works.
 
 If there are problems verifying a server certificate then the
-B<-showcerts> option can be used to show the whole chain.
+B<-showcerts> option can be used to show all the certificates sent by the
+server.
 
 Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to