[openssl.org #2547] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl genrsa creates world readable private key files

Hello, By default, openssl genrsa -out server.key 2048 creates server.key as a world readable private key file. Yes, this can probably be worked around using umask, but the default behavior is IMHO rather dangerous if the sysadmin forgets about this, or is in a hurry. It would be safer if by defa

[openssl.org #2548] [Enhancement Request / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client and SNI

Hello, Currently, openssl s_client supports the -servername parameter to pass an SNI hostname. However, wouldn't it be useful to have s_client automatically use the host name specified for -connect as the SNI service name as well? So instead of saying: openssl s_client -connect www.lll.lu:443 -

[openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

Hello, openssl s_client -connect hostname.domain.com:443 does not verify that the certificate matches the hostname. (i.e. hostname.domain.com should match either the CN of subject, or in one of the subjectAltNames) Without such verification any web site owner who has a certificate can mount a man

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

On 6/26/2011 5:59 AM, Alain Knaff via RT wrote: openssl s_client -connect hostname.domain.com:443 does not verify that the certificate matches the hostname. (i.e. hostname.domain.com should match either the CN of subject, or in one of the subjectAltNames) Without such verification any web sit

Re: [openssl.org #2548] [Enhancement Request / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client and SNI

On 06/26/2011 02:59 PM, Alain Knaff via RT wrote: Hello, Currently, openssl s_client supports the -servername parameter to pass an SNI hostname. However, wouldn't it be useful to have s_client automatically use the host name specified for -connect as the SNI service name as well? So instead of

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

On 06/26/2011 02:59 PM, Alain Knaff via RT wrote: Hello, openssl s_client -connect hostname.domain.com:443 does not verify that the certificate matches the hostname. (i.e. hostname.domain.com should match either the CN of subject, or in one of the subjectAltNames) Without such verification any

Re: [openssl.org #2548] [Enhancement Request / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client and SNI

On 06/26/2011 02:59 PM, Alain Knaff via RT wrote: > Hello, > > Currently, openssl s_client supports the -servername parameter to pass > an SNI hostname. > > However, wouldn't it be useful to have s_client automatically use the > host name specified for -connect as the SNI service name as well? > >

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

On 06/26/2011 02:59 PM, Alain Knaff via RT wrote: > Hello, > > openssl s_client -connect hostname.domain.com:443 does not verify that > the certificate matches the hostname. (i.e. hostname.domain.com should > match either the CN of subject, or in one of the subjectAltNames) > > Without such verific

Re: [openssl.org #2549] [Bug report / Linux / openssl 0.9.8k-7ubuntu8.6] openssl s_client does not verify certificate against server's host name

On 26/06/2011 15:40, David Schwartz wrote: > On 6/26/2011 5:59 AM, Alain Knaff via RT wrote: > >> openssl s_client -connect hostname.domain.com:443 does not verify that >> the certificate matches the hostname. (i.e. hostname.domain.com should >> match either the CN of subject, or in one of the sub