[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Dec 1 19:54:37 UTC 2018

On Fri 2018-11-30 20:38:01 -0500, Viktor Dukhovni wrote:
> Are there compatibility concerns around changing error message
> text for which users may have created regex patterns in scripts?

I advocate making the error message in english more comprehensible.

Michael Wojcik's suggestion of "Untrusted self-signed certificate in
certificate chain" more accurately reflects the semantics of this error

The error message is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, whic his
#defined in x509_vfy.h as 19, and 19 even shows up in the specific error
message.  Scripts should be keying on this value, not on the
human-readable text.

Scripts which expect certain human-readable text will fail when the text
is localized (not done in OpenSSL yet, but perhaps it should be at some
point, it certainly is in glibc and other libraries), or when the text
is improved to be more accurate (this case).

We shouldn't let those scripts stop us from improving OpenSSL going
forward at least, though i can understand if folks are more reluctant to
change old verisions in a point release.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181201/594ad355/attachment.sig>

More information about the openssl-users mailing list