[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue Dec 4 23:19:53 UTC 2018


    > "Provided chain ends with unknown self-signed certificate".

I like this. 

IMHO "unrecognized" would be more confusing.

I hope the team makes up their mind quickly.

On 12/4/18, 6:17 PM, "openssl-users on behalf of Michael Wojcik" <openssl-users-bounces at openssl.org on behalf of Michael.Wojcik at microfocus.com> wrote:

    > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
    > Of Jakob Bohm via openssl-users
    > Sent: Tuesday, December 04, 2018 08:15
    > > Care to create a PR against the "master" branch?  Something
    > > along the lines of:
    > >
    > >      "Provided chain ends with untrusted self-signed certificate"
    > >
    > > or better.  Here "untrusted" might mean not trusted for the requested
    > > purpose, but more precise is not always more clear.
    > >
    > Perhaps s/untrusted/unknown/ as in
    >
    > "Provided chain ends with unknown self-signed certificate".
    
    Yes, that might be better. Or maybe "unrecognized". Of course there's scope for someone to misinterpret regardless of which term is used. I can suggest various alternatives in the PR and let the team decide.
    
    > Or even better, two different error codes:
    >
    >   - "Only self-signed end certificate provided"
    >
    >   - "Provided chain ends with unknown root certificate"
    >
    > (Deciding which one keeps the old error code is left as
    >   an exercise).
    
    I can raise that as a possibility too, in the PR. Obviously it's a bit more work than simply changing the existing text.
    
    --
    Michael Wojcik
    Distinguished Engineer, Micro Focus
    
    
    
    -- 
    openssl-users mailing list
    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181204/d95d11a5/attachment-0001.bin>


More information about the openssl-users mailing list