[Pkg-openssl-devel] Bug#792490: Bug#792490: openssl s_client doesn't allow for certificate pinning anymore!
Kurt Roeckx
kurt at roeckx.be
Mon Sep 7 13:24:33 UTC 2015
On Mon, Sep 07, 2015 at 02:56:44PM +0200, Florent Daigniere wrote:
>
> Agreed. The catch is that it's useless as a debugging tool too with the
> new behaviour (see bug #792396). There's no indication whatsoever that
> the system's CA path has been added to the certificate chain... and the
> manual goes as far as suggesting that it isn't:
>
> "
> -CApath directory
> The directory to use for server certificate verification. [...]
> "
As far as I know there is a default CApath being used, and using
-CApath adds that directory. But I think it might be unexpected,
and clearly is still under documented.
I think there was some change in behaviour between 1.0.1 and
1.0.2, but I can't remember the details.
Kurt
More information about the Pkg-openssl-devel
mailing list