Variables inserted in s_server -www output are not HTML-escaped. For example:
$ mv server.key '<b>hoiserver.key' $ openssl s_server -cert server.crt -key '<b>hoiserver.key' -www ... $ curl -s -k https://localhost:4433/ | grep hoi s_server -cert server.crt -key <b>hoiserver.key -www When viewed in a browser, the whole page becomes bold from that point on. I expect the same issue to apply to the client certificate report in this output. Instead of <b>, someone could insert JavaScript-code here to do nasty things like steal cookies. Admittedly, getting into the right place to do this on a production system is hard - but it's better to be safe than sorry. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]