I realize the
openssl s_client tool tries to be upper-layer protocol agnostic, but doesn’t everything that uses SSL do commonName checking (HTTP, SMTP, IMAP, FTP, POP, XMPP)? Shouldn’t this be something
openssl s_client does by default, maybe with an option to turn it off for less common situations?
Here it doesn’t complain about connecting to “outflux.net” when the cert has a CN for “www.outflux.net”:
echo QUIT | openssl s_client -CApath /etc/ssl/certs \ -connect outflux.net:443 2>/dev/null | egrep "subject=|Verify"
subject=/CN=www.outflux.net Verify return code: 0 (ok)
© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.