[Pkg-openssl-devel] Bug#792490: Bug#792490: openssl s_client doesn't allow for certificate pinning anymore!
Jean-Marc
jean-marc at 6jf.be
Wed Feb 6 21:47:43 GMT 2019
On Mon, 7 Sep 2015 15:24:33 +0200 Kurt Roeckx <kurt at roeckx.be> wrote:
> On Mon, Sep 07, 2015 at 02:56:44PM +0200, Florent Daigniere wrote:
> >
> > Agreed. The catch is that it's useless as a debugging tool too with the
> > new behaviour (see bug #792396). There's no indication whatsoever that
> > the system's CA path has been added to the certificate chain... and the
> > manual goes as far as suggesting that it isn't:
> >
> > "
> > -CApath directory
> > The directory to use for server certificate verification. [...]
> > "
The bug reports a problem because "openssl s_client is not providing any way to disregard the system's trusted CAs anymore" found in version openssl/1.0.2d-1.
I tested the option -no-CApath on a Debian stable (openssl 1.1.0j-1~deb9u1) and on a Debian testing/sid (openssl 1.1.1a-1) and it forced openssl to disregard the local system's CAs.
Can you tell me if this is what you are looking for ?
In this case, we can maybe ask to close this bug.
Regards,
Jean-Marc <jean-marc at 6jf.be>
https://6jf.be/keys/ED863AD1.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20190206/9f3a669c/attachment.sig>
More information about the Pkg-openssl-devel
mailing list