On Mon, 7 Sep 2015 15:24:33 +0200 Kurt Roeckx <k...@roeckx.be> wrote: > On Mon, Sep 07, 2015 at 02:56:44PM +0200, Florent Daigniere wrote: > > > > Agreed. The catch is that it's useless as a debugging tool too with the > > new behaviour (see bug #792396). There's no indication whatsoever that > > the system's CA path has been added to the certificate chain... and the > > manual goes as far as suggesting that it isn't: > > > > " > > -CApath directory > > The directory to use for server certificate verification. [...] > > "
The bug reports a problem because "openssl s_client is not providing any way to disregard the system's trusted CAs anymore" found in version openssl/1.0.2d-1. I tested the option -no-CApath on a Debian stable (openssl 1.1.0j-1~deb9u1) and on a Debian testing/sid (openssl 1.1.1a-1) and it forced openssl to disregard the local system's CAs. Can you tell me if this is what you are looking for ? In this case, we can maybe ask to close this bug. Regards, Jean-Marc <jean-m...@6jf.be> https://6jf.be/keys/ED863AD1.txt
pgpY4sc1b3lAD.pgp
Description: PGP signature
