[openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Feb 1 23:46:20 UTC 2016
On Mon, Feb 01, 2016 at 11:38:49PM +0000, Alex Rousskov via RT wrote:
> On 02/01/2016 02:32 PM, openssl-dev at openssl.org via RT wrote:
>
> > Please be more explicit about what errors you feel were not reported.
>
> One specific error mentioned during the previous discussion was "expired
> certificate". This was ~four years ago, so my recollection may be
> faulty, but I believe that was _not_ the only hidden error.
Expiration makes no sense for a certificate at the top of the chain,
it has no issuer, so the date is unsigned and meaningless.
> Back then, Stephen Henson semi-confirmed that some errors were hidden
> [because they were considered meaningless], so I hope we did not
> misdiagnose the issue. I do not know whether the code has changed since
> then.
I agree that the date is meaningless. I do not agree that not
reporting "expiration" of such certificates is "hiding" an error.
IMHO, the code is correct as it stands.
--
Viktor.
More information about the openssl-dev
mailing list