[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Kyle Hamilton aerowolf at gmail.com
Sun Dec 2 06:28:59 UTC 2018

Wireshark and other packet capture tools can help you determine
exactly what's in the chain sent by the client.  If the self-signed
root isn't being sent, then the "self-signed certificate in
certificate chain" error should never have been sent, and a bug report
on that issue would be appropriate.

If the root is being sent, though, having some idea of what you're
doing when constructing your sessions could help us to figure out why
it is when you didn't intend it to be.

-Kyle H
On Sat, Dec 1, 2018 at 1:47 PM Charles Mills <charlesm at mcn.org> wrote:
> > It was found in the chain of certificates sent by the client to the
> > server for validation
> Again, I could be wrong but that is my point. I do not think the client is
> sending a chain of certificates, but rather only one, the CA-signed client
> certificate. (I wrote and configured the client, and generated the
> certificate, and loaded it into the certificate store.)
> Charles
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
> Viktor Dukhovni
> Sent: Saturday, December 1, 2018 12:47 PM
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Self-signed error when using
> SSL_CTX_load_verify_locations CApath
> On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:
> > I could easily be wrong -- you guys know more about certificates than I
> ever
> > will -- but I do not *think* there is any self-signed certificate in this
> > scenario. There should be exactly two certificates in this discussion:
> >
> > 1. The client certificate. It is not self-signed (in the correct sense of
> > the term, as opposed to the erroneous popular sense): it is signed by my
> > "in-house" CA.
> >
> > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> > find it, right?
> You seem to be stuck on a narrow meaning of the word "found".  The
> self-signed certificate *was* found, but not in the trust-store.
> It was found in the chain of certificates sent by the client to the
> server for validation.  That's what the error message is telling
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list