diff options
author | Matt Caswell <matt@openssl.org> | 2018-04-24 10:27:32 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-04-25 10:50:54 +0100 |
commit | bdb59d97a6a92498926ad8b3d5e166258339b447 (patch) | |
tree | b284bbef257d1c5a68519638543b5fb27cb98f0c | |
parent | 4522e130c87c341342c640bba970f4b89755f1cb (diff) |
Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.
Fixes #4933
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6067)
-rw-r--r-- | apps/s_client.c | 3 | ||||
-rw-r--r-- | doc/man1/s_client.pod | 8 |
2 files changed, 7 insertions, 4 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index 89cddb30f8..9d463f6d81 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -637,7 +637,8 @@ const OPTIONS s_client_options[] = { "Disable name checks when matching DANE-EE(3) TLSA records"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, - {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, + {"showcerts", OPT_SHOWCERTS, '-', + "Show all certificates sent by the server"}, {"debug", OPT_DEBUG, '-', "Extra output"}, {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>', diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index a06d3a6291..5d33e1c993 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -333,8 +333,9 @@ be used as a test that session caching is working. =item B<-showcerts> -Display the whole server certificate chain: normally only the server -certificate itself is displayed. +Displays the server certificate list as sent by the server: it only consists of +certificates the server has sent (in the order the server has sent them). It is +B<not> a verified chain. =item B<-prexit> @@ -695,7 +696,8 @@ a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the -B<-showcerts> option can be used to show the whole chain. +B<-showcerts> option can be used to show all the certificates sent by the +server. The B<s_client> utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will |