[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Wed Jan 16 21:00:07 UTC 2019
The branch master has been updated
via 9b10986d7742a5105ac8c5f4eba8b103caf57ae9 (commit)
from 807989df56988da92560bce4706d91d7c1371783 (commit)
- Log -----------------------------------------------------------------
commit 9b10986d7742a5105ac8c5f4eba8b103caf57ae9
Author: Richard Levitte <levitte at openssl.org>
Date: Wed Jan 16 21:54:48 2019 +0100
apps/verify.c: Change an old comment to clarify what the callback does
Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7922)
-----------------------------------------------------------------------
Summary of changes:
apps/verify.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/apps/verify.c b/apps/verify.c
index 3768fed..2f66912 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx)
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));
+
+ /*
+ * Pretend that some errors are ok, so they don't stop further
+ * processing of the certificate chain. Setting ok = 1 does this.
+ * After X509_verify_cert() is done, we verify that there were
+ * no actual errors, even if the returned value was positive.
+ */
switch (cert_error) {
case X509_V_ERR_NO_EXPLICIT_POLICY:
policies_print(ctx);
/* fall thru */
case X509_V_ERR_CERT_HAS_EXPIRED:
-
- /*
- * since we are just checking the certificates, it is ok if they
- * are self signed. But we should still warn the user.
- */
+ /* Continue even if the leaf is a self signed cert */
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
/* Continue after extension errors too */
case X509_V_ERR_INVALID_CA:
More information about the openssl-commits
mailing list