I proposed to add a new option "-showcerts" that tells s_client to not
only show the server certifiate in base64 ("PEM") format, but all
certificates in the chain. I've long used such an addition to cut &
paste CA certificates from SSL/TLS servers that send more than one
certificate in the ServerCertificate message; example:
$ ./openssl s_client -port 443 -showcerts -host www.trustcenter.de
CONNECTED(00000004)
depth=1 /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 3 [EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter/CN=www.trustcenter.de
i:/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 3 [EMAIL PROTECTED]
-----BEGIN CERTIFICATE-----
MIID3jCCA0egAwIBAgIDAeixMA0GCSqGSIb3DQEBBAUAMIG8MQswCQYDVQQGEwJE
[...]
HDKPTASu6IHLgzz9NXBkPeZG+QwxnW1eNUlh+C4+a/e4Pg==
-----END CERTIFICATE-----
1 s:/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 3 [EMAIL PROTECTED]
i:/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 3 [EMAIL PROTECTED]
-----BEGIN CERTIFICATE-----
MIIENTCCA56gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBvDELMAkGA1UEBhMCREUx
[...]
lbfu8ENJwl7oy3lvU7/7SYos2EvZVfIScA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter/CN=www.trustcenter.de
issuer=/C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks
GmbH/OU=TC TrustCenter Class 3 [EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 2506 bytes and written 229 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
[...]
Note that I first print the certificate subject and issuer strings and
then the complete certificate. This differs from s_client's standard
behaviour to first print the server certificate and then these
readable strings, which I think would produce more confusing output at
least in this case (and if I could be sure that no-one uses s_client
non-interactively, then I'd suggest changing that too).
*** /usr/local/httpd-src/openssl-0.9.2b/apps/s_client.c Mon Feb 15 22:05:17 1999
--- s_client.c Tue Mar 30 13:02:14 1999
***************
*** 90,95 ****
--- 90,96 ----
#endif
static int c_Pause=0;
static int c_debug=0;
+ static int c_showcerts=0;
#ifndef NOPROTO
static void sc_usage(void);
***************
*** 118,123 ****
--- 119,125 ----
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the
same Session-ID\n");
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2)
system call\n");
+ BIO_printf(bio_err," -showcerts - show all certificates in the chain\n");
BIO_printf(bio_err," -debug - extra output\n");
BIO_printf(bio_err," -nbio_test - more ssl protocol testing\n");
BIO_printf(bio_err," -state - print the 'ssl' states\n");
***************
*** 171,176 ****
--- 173,179 ----
c_Pause=0;
c_quiet=0;
c_debug=0;
+ c_showcerts=0;
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
***************
*** 227,232 ****
--- 230,237 ----
c_Pause=1;
else if (strcmp(*argv,"-debug") == 0)
c_debug=1;
+ else if (strcmp(*argv,"-showcerts") == 0)
+ c_showcerts=1;
else if (strcmp(*argv,"-nbio_test") == 0)
nbio_test=1;
else if (strcmp(*argv,"-state") == 0)
***************
*** 675,680 ****
--- 680,687 ----
X509_NAME_oneline(X509_get_issuer_name((X509 *)
sk_value(sk,i)),buf,BUFSIZ);
BIO_printf(bio," i:%s\n",buf);
+ if (c_showcerts)
+ PEM_write_bio_X509(bio,(X509 *)
+sk_value(sk,i));
}
}
***************
*** 683,689 ****
if (peer != NULL)
{
BIO_printf(bio,"Server certificate\n");
! PEM_write_bio_X509(bio,peer);
X509_NAME_oneline(X509_get_subject_name(peer),
buf,BUFSIZ);
BIO_printf(bio,"subject=%s\n",buf);
--- 690,697 ----
if (peer != NULL)
{
BIO_printf(bio,"Server certificate\n");
! if (!c_showcerts) /* Redundant if we showed the whole chain */
! PEM_write_bio_X509(bio,peer);
X509_NAME_oneline(X509_get_subject_name(peer),
buf,BUFSIZ);
BIO_printf(bio,"subject=%s\n",buf);
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
