[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Jakob Bohm jb-openssl at wisemo.com
Tue Dec 4 15:15:11 UTC 2018

On 01/12/2018 21:53, Viktor Dukhovni wrote:
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
>>> Are there compatibility concerns around changing error message
>>> text for which users may have created regex patterns in scripts?
>>> I agree the text could be better, but not sure in what releases
>>> if any to change the text, since the change may cause issues
>>> for some users.
>> Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release.
> Care to create a PR against the "master" branch?  Something
> along the lines of:
>      "Provided chain ends with untrusted self-signed certificate"
> or better.  Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.
Perhaps s/untrusted/unknown/ as in

"Provided chain ends with unknown self-signed certificate".

Or even better, two different error codes:

  - "Only self-signed end certificate provided"

  - "Provided chain ends with unknown root certificate"

(Deciding which one keeps the old error code is left as
  an exercise).

(Distinguishing a self-siged end cert from a self-signed
  root when no other certificate is provided is also left
  as an exercise).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list