I'm running OpenSSL 1.0.0-fips 29 Mar 2010. I made a jump from a 2009 build yesterday and noticed my scripts were returning data that I didn't expect to see.
It turns out that openssl now replies with something I'll call the "depth header". This is data that I can't seem to suppress from being shown. I have a script that pulls the expiration date and common name from a cert. The common name part is what's throwing me now. for example, if I run... [root@awesomeserver bin]# echo -n '' | openssl s_client -connect google.com:443 | awk 'BEGIN { p = 0 } /BEGIN CERT/ { p = 1 } { if (p) print $0 } /END CERT/ { p = 0 }' | openssl asn1parse | grep T61STRING I get... depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *. google.com verify return:1 DONE 234:d=5 hl=2 l= 12 prim: T61STRING :*.google.com When I should only get.. 234:d=5 hl=2 l= 12 prim: T61STRING :*.google.com Is there a way to suppress the following part from being shown on this new openssl version? depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *. google.com verify return:1 DONE I'm hoping there's an 'openssl -no_depth_header' or something but I'm not finding such an option. Before when I did my grep search if the cert wasn't using the T61STRING then it'd move on to the next check. However now since it gets this "depth header" back it thinks it found what I was looking for. When it really never did find the droid I was looking for. Thanks, -Seth