On Mon, 2015-09-07 at 13:00 +0100, Ben Hutchings wrote: > > openssl s_client doesn't check the certificate's names either, and > never has. It should only be used for debugging, not to make a > secure > tunnel. For secure tunnelling see the example in > <https://www.decadent.org.uk/ben/blog/securing-git-imap-send-in > -debian.html> > > Ben. >
Agreed. The catch is that it's useless as a debugging tool too with the new behaviour (see bug #792396). There's no indication whatsoever that the system's CA path has been added to the certificate chain... and the manual goes as far as suggesting that it isn't: " -CApath directory The directory to use for server certificate verification. [...] " Florent
