[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni openssl-users at dukhovni.org
Sat Dec 1 01:38:01 UTC 2018

> On Nov 30, 2018, at 7:33 PM, Sands, Daniel via openssl-users <openssl-users at openssl.org> wrote:
>> Viktor's points are all good ones, but considering how often this
>> particular message causes confusion for users and developers (at
>> least in my experience), I wonder whether changing the text to
>> "Untrusted self-signed certificate in certificate chain" would help.
>> That would suggest to the user that the problem might be an issue
>> with the trust store.
> My .02:  The message "Self-signed certificate in certificate chain"
> does make it sound like OpenSSL rejected the certificate precisely
> because it's self signed, and not because it's an untrusted root
> certificate.  I would suggest a less misleading reason, at least.

Are there compatibility concerns around changing error message
text for which users may have created regex patterns in scripts?

I agree the text could be better, but not sure in what releases
if any to change the text, since the change may cause issues
for some users.


More information about the openssl-users mailing list