[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni openssl-users at dukhovni.org
Tue Dec 4 23:50:30 UTC 2018


On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:

> > Care to create a PR against the "master" branch?  Something
> > along the lines of:
> >
> >      "Provided chain ends with untrusted self-signed certificate"
> >
> > or better.  Here "untrusted" might mean not trusted for the requested
> > purpose, but more precise is not always more clear.
>
> Perhaps s/untrusted/unknown/ as in
> 
> "Provided chain ends with unknown self-signed certificate".

I don't see why "unknown" is better, it could under certain conditions
be "known", but not trusted.

> Or even better, two different error codes:
> 
>  - "Only self-signed end certificate provided"
> 
>  - "Provided chain ends with unknown root certificate"

That already exists:

  crypto/x509/x509_txt.c:

    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
        return "self signed certificate";
    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
        return "self signed certificate in certificate chain";

-- 
	Viktor.


More information about the openssl-users mailing list