[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni openssl-users at dukhovni.org
Sat Dec 1 01:38:01 UTC 2018


> On Nov 30, 2018, at 7:33 PM, Sands, Daniel via openssl-users <openssl-users at openssl.org> wrote:
> 
>> Viktor's points are all good ones, but considering how often this
>> particular message causes confusion for users and developers (at
>> least in my experience), I wonder whether changing the text to
>> "Untrusted self-signed certificate in certificate chain" would help.
>> That would suggest to the user that the problem might be an issue
>> with the trust store.
>> 
> My .02:  The message "Self-signed certificate in certificate chain"
> does make it sound like OpenSSL rejected the certificate precisely
> because it's self signed, and not because it's an untrusted root
> certificate.  I would suggest a less misleading reason, at least.

Are there compatibility concerns around changing error message
text for which users may have created regex patterns in scripts?

I agree the text could be better, but not sure in what releases
if any to change the text, since the change may cause issues
for some users.

-- 
	Viktor.



More information about the openssl-users mailing list