[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath
jb-openssl at wisemo.com
Tue Dec 4 15:15:11 UTC 2018
On 01/12/2018 21:53, Viktor Dukhovni wrote:
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
>>> Are there compatibility concerns around changing error message
>>> text for which users may have created regex patterns in scripts?
>>> I agree the text could be better, but not sure in what releases
>>> if any to change the text, since the change may cause issues
>>> for some users.
>> Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release.
> Care to create a PR against the "master" branch? Something
> along the lines of:
> "Provided chain ends with untrusted self-signed certificate"
> or better. Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.
Perhaps s/untrusted/unknown/ as in
"Provided chain ends with unknown self-signed certificate".
Or even better, two different error codes:
- "Only self-signed end certificate provided"
- "Provided chain ends with unknown root certificate"
(Deciding which one keeps the old error code is left as
(Distinguishing a self-siged end cert from a self-signed
root when no other certificate is provided is also left
as an exercise).
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users