From: Matt Caswell Date: Tue, 24 Apr 2018 09:27:32 +0000 (+0100) Subject: Fix documentation for the -showcerts s_client option X-Git-Tag: OpenSSL_1_1_0i~153 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=fd749e2a0fde493216e0fd2896643badd0d875fe;p=oweals%2Fopenssl.git Fix documentation for the -showcerts s_client option This option shows the certificates as sent by the server. It is not the full verified chain. Fixes #4933 Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6068) --- diff --git a/apps/s_client.c b/apps/s_client.c index fb89f0cd61..81669d0401 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -593,7 +593,8 @@ OPTIONS s_client_options[] = { "Disable name checks when matching DANE-EE(3) TLSA records"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, - {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, + {"showcerts", OPT_SHOWCERTS, '-', + "Show all certificates sent by the server"}, {"debug", OPT_DEBUG, '-', "Extra output"}, {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>', diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 01a6c5f7fc..9f6c7ece57 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -281,8 +281,9 @@ be used as a test that session caching is working. =item B<-showcerts> -display the whole server certificate chain: normally only the server -certificate itself is displayed. +Displays the server certificate list as sent by the server: it only consists of +certificates the server has sent (in the order the server has sent them). It is +B a verified chain. =item B<-prexit> @@ -579,7 +580,8 @@ a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works. If there are problems verifying a server certificate then the -B<-showcerts> option can be used to show the whole chain. +B<-showcerts> option can be used to show all the certificates sent by the +server. The B utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will