[Pkg-openssl-devel] Bug#691964: Bug#691964: openssl: s_client does not verify server hostname against certificate
Kurt Roeckx
kurt at roeckx.be
Thu Nov 1 13:33:00 UTC 2012
On Thu, Nov 01, 2012 at 02:14:29PM +0100, Michal Suchanek wrote:
> Excerpts from Kurt Roeckx's message of Wed Oct 31 20:07:31 +0100 2012:
> > On Wed, Oct 31, 2012 at 07:37:25PM +0100, Michal Suchanek wrote:
> > > Package: openssl
> > > Version: 1.0.1c-4
> > > Severity: important
> > >
> > > Hello,
> > >
> > > I tried to get certificate validation working in an application using
> > > OpenSSL.
> > >
> > > I added to call the verification routine and it rejects invalid
> > > certificates all right but forwarding the server connection through
> > > local inetd+nc does not produce an error.
> > >
> > > Looking for working applications I tried openssl s_client and it
> > > verifies the hijacked connection too.
> >
> > s_client should properly verify the result, and show you that
> > there is an error. It will then continue even when the
> > verifications fails. See the manual.
>
> Yes, the verify result is 0 as is in my test application.
> No error is reported.
>
> >
> > > Is there any example of application using openssl that can correcly
> > > verify server certificates at all?
> >
> > As far as I know curl at least curl does the right thing by
> > default.
>
> It uses gnutls so that's not surprising. gnutls has well documented
> interface for that.
curl can be linked against either openssl, gnutls or nss.
libcurl3 is linked against openssl. You need to make
sure you're using libcurl3-gnutls or libcurl3-nss if you don't
want to use openssl.
> > See the SSL_get_verify_result() man page.
>
> Yes, that I do and get no error.
So why do you expect it to give an error?
Kurt
More information about the Pkg-openssl-devel
mailing list