[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Michael Wojcik Michael.Wojcik at microfocus.com
Fri Nov 30 23:55:49 UTC 2018


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Friday, November 30, 2018 16:35
>
> > On Nov 30, 2018, at 5:00 PM, Charles Mills <charlesm at mcn.org> wrote:
> >
> > "Self-signed certificate in certificate chain" does not to me convey "No
> > certificate hash links" (or "CA certificate not found in hash links").
>
> That's not really possible, because the code that's doing certificate
> validation works with an abstract certificate store API, and does not
> know whether a particular certificate should or should not have been
> listed a trust-anchor in some store.
>
> All we know is that we've reached a self-signed certificate in the
> chain (so no further issuers can be found) and it is not in any
> of the trust stores, so verification fails.
>
> Perhaps we could document the errors in a bit more depth, but I don't
> think it is possible to tell you that your CApath was missing some
> specific symlink.

Viktor's points are all good ones, but considering how often this particular message causes confusion for users and developers (at least in my experience), I wonder whether changing the text to "Untrusted self-signed certificate in certificate chain" would help. That would suggest to the user that the problem might be an issue with the trust store.

--
Michael Wojcik
Distinguished Engineer, Micro Focus




More information about the openssl-users mailing list