[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
Jakob Bohm
jb-openssl at wisemo.com
Tue Dec 4 15:15:11 UTC 2018
On 01/12/2018 21:53, Viktor Dukhovni wrote:
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
>
>>> Are there compatibility concerns around changing error message
>>> text for which users may have created regex patterns in scripts?
>>>
>>> I agree the text could be better, but not sure in what releases
>>> if any to change the text, since the change may cause issues
>>> for some users.
>> Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release.
> Care to create a PR against the "master" branch? Something
> along the lines of:
>
> "Provided chain ends with untrusted self-signed certificate"
>
> or better. Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.
>
Perhaps s/untrusted/unknown/ as in
"Provided chain ends with unknown self-signed certificate".
Or even better, two different error codes:
- "Only self-signed end certificate provided"
- "Provided chain ends with unknown root certificate"
(Deciding which one keeps the old error code is left as
an exercise).
(Distinguishing a self-siged end cert from a self-signed
root when no other certificate is provided is also left
as an exercise).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list