[openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

[Jakob Bohm]

On 05/12/2018 00:50, Viktor Dukhovni wrote:
> On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:
>
>>> Care to create a PR against the "master" branch?  Something
>>> along the lines of:
>>>
>>>       "Provided chain ends with untrusted self-signed certificate"
>>>
>>> or better.  Here "untrusted" might mean not trusted for the requested
>>> purpose, but more precise is not always more clear.
>> Perhaps s/untrusted/unknown/ as in
>>
>> "Provided chain ends with unknown self-signed certificate".
> I don't see why "unknown" is better, it could under certain conditions
> be "known", but not trusted.
Unknown would differ from untrusted in cases where there is some
setting indicating that some certificates in the CA directory are
trusted only for some/no purposes.

This could (in current or future code) represent things such as the
trust bits in "Trusted Certificate" files.

>> Or even better, two different error codes:
>>
>>   - "Only self-signed end certificate provided"
>>
>>   - "Provided chain ends with unknown root certificate"
> That already exists:
>
>    crypto/x509/x509_txt.c:
>
>      case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
>          return "self signed certificate";
>      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
>          return "self signed certificate in certificate chain";
>
In that case, maybe change the text to:

   "Provided chain ends with an unknown and thus untrusted root certificate"

This would capture both the fact that the root is unknown (not in
the CA stores configured/loaded) and that this is the specific
fact causing it to be untrusted.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded