I'm running OpenSSL 1.0.0-fips 29 Mar 2010. I made a jump from a 2009 build
yesterday and noticed my scripts were returning data that I didn't expect
to see.


It turns out that openssl now replies with something I'll call the "depth
header". This is data that I can't seem to suppress from being shown.

I have a script that pulls the expiration date and common name from a cert.
The common name part is what's throwing me now. for example, if I run...

[root@awesomeserver bin]# echo -n '' | openssl s_client -connect
google.com:443 | awk 'BEGIN { p = 0 }  /BEGIN CERT/ { p = 1 } { if (p)
print $0 } /END CERT/ { p = 0 }' | openssl asn1parse | grep T61STRING


I get...

depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.
google.com
verify return:1
DONE
  234:d=5  hl=2 l=  12 prim: T61STRING         :*.google.com


When I should only get..

  234:d=5  hl=2 l=  12 prim: T61STRING         :*.google.com


Is there a way to suppress the following part from being shown on this new
openssl version?

depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.
google.com
verify return:1
DONE


I'm hoping there's an 'openssl -no_depth_header' or something but I'm not
finding such an option. Before when I did my grep search if the cert wasn't
using the T61STRING then it'd move on to the next check. However now since
it gets this "depth header" back it thinks it found what I was looking for.
When it really never did find the droid I was looking for.


Thanks,

-Seth

Reply via email to