Hello, > I try with the -verify option > openssl s_client -connect localhost:8890 -CAfile trustees.pem -showcerts > -state > -ssl3 -msg -verify 10 > > But still no SSL alerts sent even if it detects an error ... can you give me > the > reason ? Yes, indeed, when I try to setup server: $ openssl s_server -key key.pem -cert crt.pem and connect with client: $ openssl s_client -verify 10 connection is established.
In s_client when you use "-verify 10" SSL_VERIFY_PEER flag is set which (according to documentation) this means: SSL_VERIFY_PEER Server mode: the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. Client mode: the server certificate is verified. If the verification process fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored. In my understanding this connection should be dropped, maybe this is a bug ? Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
