[Pkg-openssl-devel] Bug#691964: Bug#691964: openssl: s_client does not verify server hostname against certificate
Kurt Roeckx
kurt at roeckx.be
Wed Oct 31 19:07:31 UTC 2012
On Wed, Oct 31, 2012 at 07:37:25PM +0100, Michal Suchanek wrote:
> Package: openssl
> Version: 1.0.1c-4
> Severity: important
>
> Hello,
>
> I tried to get certificate validation working in an application using
> OpenSSL.
>
> I added to call the verification routine and it rejects invalid
> certificates all right but forwarding the server connection through
> local inetd+nc does not produce an error.
>
> Looking for working applications I tried openssl s_client and it
> verifies the hijacked connection too.
s_client should properly verify the result, and show you that
there is an error. It will then continue even when the
verifications fails. See the manual.
> Is there any example of application using openssl that can correcly
> verify server certificates at all?
As far as I know curl at least curl does the right thing by
default.
See the SSL_get_verify_result() man page.
Please note that just calling function is not enough, you also
need to call SSL_get_peer_certificate().
Also it's not because the certificate verifies that you are connected
to the right hostname and you need to check that yourself and you
might want to look at rfc 2818 for that.
Kurt
More information about the Pkg-openssl-devel
mailing list