On Mon, Oct 20, 2008, Matthew Franglen wrote: > Issue: > > The openssl s_client utility is unable to display the server certificate if > the server certificate fails verification. Since the server certificate may > be desired irrespective of the verification status it should be possible to > display this certificate when verification fails. > > Steps to reproduce: > > OpenSSL version: 0.9.8g > Ubuntu version: 8.04 > Kernel version: 2.6.24-21-generic > > 1) Open the command line > 2) Enter the command 'openssl s_client -connect idp.nhc.ac.uk:8443' > > Output is: > CONNECTED(00000003) > depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK > verify error:num=18:self signed certificate > verify return:1 > depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK > verify return:1 > 15150:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate:s3_pkt.c:1053:SSL alert number 42 > 15150:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > 3) Enter the command 'openssl s_client -connect idp.nhc.ac.uk:8443 > -showcerts' > > Output is: > CONNECTED(00000003) > depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK > verify error:num=18:self signed certificate > verify return:1 > depth=0 /O=Internet2QI/OU=InternetQuickInstall/CN=IDP.NHC.AC.UK > verify return:1 > 15169:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate:s3_pkt.c:1053:SSL alert number 42 > 15169:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:188: > > Expected results: > > The certificate should be displayed even if verification fails. > > This can be seen as a parallel of the behaviour of the verify program, > which states: > > "There is one crucial difference between the verify operations performed by > the verify program: wherever possible an attempt is made to continue after > an error whereas normally the verify operation would halt on the first > error. This allows all the problems with a certificate chain to be > determined." > > In the same way, the s_client program should display the certificate even > if an error occurs. This would allow verification that the server > certificate is the expected certificate. >
That error is not caused by s_client failing to verify the certificate it is caused by the server closing the connection with a fatal alert. The certificate is dumped in PEM form, but its fields are not printed out. You can still view the certificate contents by dumping the output of s_client to a file: openssl s_client [options] >file openssl x509 -in file -text -noout Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
