[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

[Charles Mills]

I could easily be wrong -- you guys know more about certificates than I ever
will -- but I do not *think* there is any self-signed certificate in this
scenario. There should be exactly two certificates in this discussion:

1. The client certificate. It is not self-signed (in the correct sense of
the term, as opposed to the erroneous popular sense): it is signed by my
"in-house" CA.

2. The CA certificate. Yes, it is a root and self-signed, but you didn't
find it, right? (Because of my error in not running the hash utility.) If
you found it what is the problem? Does the hashing process imply trust? Then
the error message should be "untrusted CA certificate," no? (There is only
one certificate in the CApath folder.)

Am I missing something?

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Friday, November 30, 2018 4:37 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

> On Nov 30, 2018, at 7:25 PM, Charles Mills <charlesm at mcn.org> wrote:
> 
> Well, it ought then to say "I couldn't find any certificates at all"
rather
> than "I found a self-signed certificate" when it did not.

A self-signed certificate was found, in the chain being verified.
The message should likely be more clear (perhaps along the lines
suggested by Michael Wojcik), but it is not incorrect.