On Fri, Sep 06, 2019 at 10:58:43PM +1000, Ross L Richardson wrote: >[...] > > For invalid certificates, the result sometimes does not correspond with > that from nc(1): > > $ ./smtp -nv -s smtps://devio.us:https > trying host 74.81.181.124 port 443... > certificate validation error 10 > connection error: Invalid server certificate > done... > $ nc -cvz devio.us https > Connection to devio.us 443 port [tcp/https] succeeded! > nc: tls handshake failed (certificate verification failed: certificate > has expired) > > $ ./smtp -nv -s smtps://www.nokia.com.au:https > trying host 180.150.2.201 port 443... > valid certificate > ^C > $ nc -cvz www.nokia.com.au https > Connection to www.nokia.com.au 443 port [tcp/https] succeeded! > nc: tls handshake failed (name `www.nokia.com.au' not present in server > certificate) > >[...]
To be clear... For proper verification, smtp(1) needs to check the name(s) of the server certificate. Ross
