[Pkg-openssl-devel] Bug#792490: openssl s_client doesn't allow for certificate pinning anymore!

[Florent Daigniere]

Package: openssl
Version: 1.0.2d-1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

It looks like openssl s_client is not providing any way to disregard the system's trusted CAs anymore... and this is a regression from Jessie.

with 1.0.2d-1 (sid)
$strace -f -e open openssl s_client -no_alt_chains -CAfile /dev/null -CApath /var/empty/ -connect imap.gmail.com:imaps
....
open("/usr/lib/ssl/certs/578d5c04.0", O_RDONLY) = 4
....
    Verify return code: 0 (ok)


with 1.0.1k-3+deb8u1 (Jessie)
$openssl s_client -CAfile /dev/null -CApath /var/empty/ -connect imap.gmail.com:imaps
....
    Verify return code: 20 (unable to get local issuer certificate)


other options like -verify_return_error don't seem to help either...

Three questions spring to mind:
	- How can we get it to do what's expected? (new options have been introduced... but I can't seem to find the equivalent of -trusted for openssl verify)
	- Is it sane to change the behaviour like that without documenting it?

Regards,
	Florent


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssl depends on:
ii  libc6        2.19-19
ii  libssl1.0.0  1.0.2d-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20150426