New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

s_client -showcerts man text misleading: "all certificates in the chain" #4933

Closed
JDLH opened this Issue Dec 14, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@JDLH

JDLH commented Dec 14, 2017

The text of man openssl-s_client reads in part:

-showcerts
display the whole server certificate chain: normally only the server certificate itself is displayed.

However, when I use s_client -showcerts, the certificate chain does not include the CA certificate.

% openssl s_client -connect openssl.org:443 -showcerts
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = openssl.org
verify return:1
---
Certificate chain
 0 s:/CN=openssl.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
... [snip]...
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
... [snip]...
-----END CERTIFICATE-----
---

Note that the certificate chain does not include an entry for CN = DST Root CA X3. My understanding of "the whole server certificate chain" is that it includes the certificate of the Root Certificate Authority (CA).

I suspect what is happening is that s_client is showing those certificates which the server sends. This is a reasonable choice, but different from "the whole certificate chain". The server is usually configured to not send the Root CA certificate, because there is not much point. The user won't trust such a certificate just because a server sends it, and the server admin assumes that the user already has a copy in their local store of trusted certificates.

This misunderstanding appears from time to time in user forums about openssl. People expect "the whole chain" to include the CA cert, and it doesn't.

Suggested fix: clarify the wording to say that -showcerts only shows what the server sent.

Also, it would help perhaps to put output in the bottom of the "Certificate chain" section to note that the CA certificate was found in the trusted collection. For example, something like:

... [snip]...
-----END CERTIFICATE-----
 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   Found in trusted certificate at /opt/local/etc/openssl/cert.pem
---

Diagnosis: This man text appears to come from openssl/doc/man1/s_client.pod.

@JDLH

This comment has been minimized.

Show comment
Hide comment
@JDLH

JDLH Dec 14, 2017

I wrote a branch with documentation clarifications to openssl/doc/man1/s_client.pod at https://github.com/JDLH/openssl/tree/s_client-showcerts-doc . I haven't yet made this a pull request, because I need to look at the contributor agreement etc.

JDLH commented Dec 14, 2017

I wrote a branch with documentation clarifications to openssl/doc/man1/s_client.pod at https://github.com/JDLH/openssl/tree/s_client-showcerts-doc . I haven't yet made this a pull request, because I need to look at the contributor agreement etc.

@mattcaswell mattcaswell added this to the 1.1.1 milestone Jan 23, 2018

@NickMcNutt

This comment has been minimized.

Show comment
Hide comment
@NickMcNutt

NickMcNutt Feb 12, 2018

I was trying to vouch that a server was sending a correct certificate chain, and the wording of the man pages confused me as well.

NickMcNutt commented Feb 12, 2018

I was trying to vouch that a server was sending a correct certificate chain, and the wording of the man pages confused me as well.

mattcaswell added a commit to mattcaswell/openssl that referenced this issue Apr 24, 2018

Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes openssl#4933

mattcaswell added a commit to mattcaswell/openssl that referenced this issue Apr 24, 2018

Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes openssl#4933

mattcaswell added a commit to mattcaswell/openssl that referenced this issue Apr 24, 2018

Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes openssl#4933

@levitte levitte closed this in bdb59d9 Apr 25, 2018

levitte pushed a commit that referenced this issue Apr 25, 2018

Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes #4933

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #6068)

levitte pushed a commit that referenced this issue Apr 25, 2018

Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes #4933

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #6069)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment