Red Hat Bugzilla – Bug 1476032
Use Of /etc/pki/tls/cert.pem By OpenSSL Is Undocumented In Man Pages.
Last modified: 2018-03-28 08:55:02 EDT
Description of problem:
According to "man s_client" page, the use of the "-verify" option should enable server certificate verification.
I attempted to verify a server's certificate using a CAfile I knew was incorrect, fully expecting the verification to fail. It did not! I also attempted the same *without* specifying the "-CAfile" or "-CApath" options. Again, the server's certificate verified successfully!
I wasted much time trying to figure out why my tests were always verifying the server's certificate successfully, despite what the man page stated. I ultimately learned that openssl was silently using /etc/pki/tls/cert.pem as a CAfile. This is not documented in the man pages for s_client, openssl or verify.
Version-Release number of selected component (if applicable):
See attached text file.
Server's certificate verifies successfully.
Server's certificate should not verify.
The silent use of /etc/pki/tls/cert.pem as a CAfile prohibits one from using OpenSSL to test certificate chains. Even though I was originally specifying my own CAfile in the "openssl s_client" command, it always verified the server's certificate no matter what -- even when I explicitly used a wrong certificate file in the "-CAfile" option! That is unexpected and incorrect.
I'm guessing the silent use of the /etc/pki/tls/cert.pem file was done to make openssl more `user friendly`. I disagree with that, but if that feature is to remain, then the following should happen:
1. It should be documented in the man pages!
2. There should be a way to disable it from the command line.
3. It should automatically be disabled if the user uses the "-CAfile" or "-CApath" options in his/her command.
Created attachment 1305663 [details]
Output of "openssl s_client" commands demonstrating the problem.