openssl verify/Verify command line options

[Louis Solomon]

Hi,

 

To test some certificates that I have made with my own rootca, I have been trying to use s_server and s_client commands with the openssl command line app.

 

On a quick read of the docs, I thought the Verify (server)  and verify (client) opts would do the job.  But alas no.  After testing and re-reading the docs, it appears they only limit the depth of checking, not what happens on failure.   

 

Any chance of having these two opts actually drop the connection on failure?  Of a new opt that would do this?

 

Louis Solomon

www.SteelBytes.com

 

PS, here are my testing commands just incase anyone was interested.

-------

 

server for all 3 experiments:

openssl s_server -accept 12345 -CAfile rootca.crt -cert test1.crt -key test1.key -Verify 1

 

-------

 

experiment 1: (all ok)

openssl s_client -host localhost -port 12345 -CAfile rootca.crt -cert test2.crt -key test2.key -verify 1

 

server:

verify return:1

 

client:

verify return:1

Verify return code: 0 (ok)

 

-------

 

experiment 2: (client.cert vs server.rootca mismatch)

openssl s_client -host localhost -port 12345 -CAfile rootca.crt -cert bad.crt -key bad.key -verify 1

 

server:

verify error:num=20:unable to get local issuer certificate

verify error:num=27:certificate not trusted

verify error:num=21:unable to verify the first certificate

verify return:1

 

client:

verify return:1

Verify return code: 0 (ok)

 

-------

 

experiment 3: (server.cert vs client.rootca mismatch)

openssl s_client -host localhost -port 12345 -CAfile badca.crt -cert test2.crt -key test2.key -verify 1

 

server:

verify return:1

 

client:

verify error:num=19:self signed certificate in certificate chain

verify return:1

Verify return code: 19 (self signed certificate in certificate chain)

 

-------