[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Sands, Daniel dnsands at sandia.gov
Mon Dec 3 18:47:20 UTC 2018

On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote:
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
> > > Are there compatibility concerns around changing error message
> > > text for which users may have created regex patterns in scripts?
> > > 
> > > I agree the text could be better, but not sure in what releases
> > > if any to change the text, since the change may cause issues
> > > for some users.
> > 
> > Sure, this is always a concern. Maybe the change could be
> > considered for OpenSSL 3.0, since that's a major release.
> Care to create a PR against the "master" branch?  Something
> along the lines of:
>     "Provided chain ends with untrusted self-signed certificate"
> or better.  Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.

Just wondering, is there a different error for an untrusted cross-
signed root?  If it's the same error, then maybe remove "self-signed"
from the above message too, because that would not always be the case

More information about the openssl-users mailing list