[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

[Charles Mills]

Well, it ought then to say "I couldn't find any certificates at all" rather
than "I found a self-signed certificate" when it did not.

I used to manage product developers. Sometimes I would point out a need for
product improvement and they would say "the code doesn't work that way." I
would reply "I understand. I'm asking you to change the code."

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Friday, November 30, 2018 3:35 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

> On Nov 30, 2018, at 5:00 PM, Charles Mills <charlesm at mcn.org> wrote:
> 
> "Self-signed certificate in certificate chain" does not to me convey "No
certificate hash links" (or "CA certificate not found in hash links").

That's not really possible, because the code that's doing certificate
validation works with an abstract certificate store API, and does not
know whether a particular certificate should or should not have been
listed a trust-anchor in some store.

All we know is that we've reached a self-signed certificate in the
chain (so no further issuers can be found) and it is not in any
of the trust stores, so verification fails.

Perhaps we could document the errors in a bit more depth, but I don't
think it is possible to tell you that your CApath was missing some
specific symlink.

-- 
-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users