[openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Feb 1 21:31:57 UTC 2016
On Mon, Feb 01, 2016 at 08:34:44PM +0000, Alex Rousskov via RT wrote:
> On 02/01/2016 12:40 PM, Rich Salz via RT wrote:
> > there does not seem to be anything for openssl to do here.
>
> OpenSSL can do one of these two things (at least):
>
> * Start reporting post-X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE errors
> to callbacks [instead of hiding them].
This error is only reported when the chain contains exactly one
certificate that is not self-issued. It is hard to see what other
errors you might hope to see reported, since there's nothing else
in the chain.
The error is reported late in chain construction, when all other
errors have been reported, so it is naturally the last one reported.
> * Adjust SSL_CTX_set_verify documentation to indicate that no errors are
> reported to callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
> [instead of saying that all errors are reported].
All errors were reported.
> > also the verify_chain code is changigng a lot in 1.1
>
> I hope this problem will be taken into consideration during the rewrite.
Please be more explicit about what errors you feel were not reported.
--
Viktor.
More information about the openssl-dev
mailing list