I like my SSL verification tools paranoid, and it seems openssl s_client -verify isn't paranoid enough. The man page reports:BUGS The -verify option should really exit if the server verification fails.I'd like added "the hostname in the certificate is not verified". I ran a little test server to test for the right way to configure the SSL certificates in openldap server and noticed I got the verification to work even when I was connecting to the wrong name.