> On May 30, 2018, at 4:06 PM, Jordan Brown <open...@jordan.maileater.net>
> wrote:
>
> And also: the certificate is unlikely to list an IP address, so it should
> fail hostname verification. You need to use a host name in your client
> connection request, not an IP address.
>
> (Pretty much, you don't ever want to use IP addresses in specifying TLS
> connections.)
True, but s_client does not do namechecks by default. You'd have
to request that behaviour with the "-verify_hostname" option. The
OP does not report doing that, so verification was likely limited
to just checking the trust chain.
A more complete invocation (with 1.1.0 or later) would be:
openssl s_client \
-connect $host:$port \
-CApath $capath \
-CAfile $cafile \
-verify $depth \
-servername $host \
-verify_hostname $host \
-verify_return_error
for suitable choices of $capath, $cafile, $depth, $host and $port
and in some cases additional desired options.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users