Self-signed error when using SSL_CTX_load_verify_locations CApath

classic Classic list List threaded Threaded
29 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills

(Apologies if a duplicate – I think I mis-sent the first attempt.)

 

I wrote a TLS server application that runs under Windows and has been working successfully for years. I am currently using OpenSSL 1.1.0f. When I wrote the code I only supported a single CA file for client certificates. I pass the file name in through SSL_CTX_load_verify_locations CAfile and with CApath NULL. Recently I was asked to add support for multiple CA files. I updated my parameter handling to support a CA path, and I can now pass the path instead using SSL_CTX_load_verify_locations CApath.

 

I am using a client certificate that was signed by my “homegrown” CA (which uses the OpenSSL utility). When I point to the CA .PEM with SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use CApath to point to a folder that contains only that one .PEM file it fails. My verify callback is driven with

 

-Error with certificate at depth: 1

err 19:self signed certificate in certificate chain

error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed:ssl\statem\statem_srvr.c:2893:

 

Yes, the CA certificate is a root certificate and is self-signed. But it works as a CAfile. Can someone give me some guidance here?

 

FWIW I specify SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER, verify_callback);

 

Thanks,

 

Charles

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
> On Nov 30, 2018, at 12:47 PM, Charles Mills <[hidden email]> wrote:
>
> I am using a client certificate that was signed by my “homegrown” CA (which uses the OpenSSL utility). When I point to the CA .PEM with SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use CApath to point to a folder that contains only that one .PEM file it fails.

See the documentation of c_rehash.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills
Thank you, yes, that solved it.

May I respectfully suggest that you consider improving the error message?

"Self-signed certificate in certificate chain" does not to me convey "No certificate hash links" (or "CA certificate not found in hash links").

Charles


-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: Friday, November 30, 2018 10:22 AM
To: [hidden email]
Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

> On Nov 30, 2018, at 12:47 PM, Charles Mills <[hidden email]> wrote:
>
> I am using a client certificate that was signed by my “homegrown” CA (which uses the OpenSSL utility). When I point to the CA .PEM with SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use CApath to point to a folder that contains only that one .PEM file it fails.

See the documentation of c_rehash.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
> On Nov 30, 2018, at 5:00 PM, Charles Mills <[hidden email]> wrote:
>
> "Self-signed certificate in certificate chain" does not to me convey "No certificate hash links" (or "CA certificate not found in hash links").

That's not really possible, because the code that's doing certificate
validation works with an abstract certificate store API, and does not
know whether a particular certificate should or should not have been
listed a trust-anchor in some store.

All we know is that we've reached a self-signed certificate in the
chain (so no further issuers can be found) and it is not in any
of the trust stores, so verification fails.

Perhaps we could document the errors in a bit more depth, but I don't
think it is possible to tell you that your CApath was missing some
specific symlink.

--
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Viktor Dukhovni
> Sent: Friday, November 30, 2018 16:35
>
> > On Nov 30, 2018, at 5:00 PM, Charles Mills <[hidden email]> wrote:
> >
> > "Self-signed certificate in certificate chain" does not to me convey "No
> > certificate hash links" (or "CA certificate not found in hash links").
>
> That's not really possible, because the code that's doing certificate
> validation works with an abstract certificate store API, and does not
> know whether a particular certificate should or should not have been
> listed a trust-anchor in some store.
>
> All we know is that we've reached a self-signed certificate in the
> chain (so no further issuers can be found) and it is not in any
> of the trust stores, so verification fails.
>
> Perhaps we could document the errors in a bit more depth, but I don't
> think it is possible to tell you that your CApath was missing some
> specific symlink.

Viktor's points are all good ones, but considering how often this particular message causes confusion for users and developers (at least in my experience), I wonder whether changing the text to "Untrusted self-signed certificate in certificate chain" would help. That would suggest to the user that the problem might be an issue with the trust store.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills
In reply to this post by Viktor Dukhovni
Well, it ought then to say "I couldn't find any certificates at all" rather
than "I found a self-signed certificate" when it did not.

I used to manage product developers. Sometimes I would point out a need for
product improvement and they would say "the code doesn't work that way." I
would reply "I understand. I'm asking you to change the code."

Charles


-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Viktor Dukhovni
Sent: Friday, November 30, 2018 3:35 PM
To: [hidden email]
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

> On Nov 30, 2018, at 5:00 PM, Charles Mills <[hidden email]> wrote:
>
> "Self-signed certificate in certificate chain" does not to me convey "No
certificate hash links" (or "CA certificate not found in hash links").

That's not really possible, because the code that's doing certificate
validation works with an abstract certificate store API, and does not
know whether a particular certificate should or should not have been
listed a trust-anchor in some store.

All we know is that we've reached a self-signed certificate in the
chain (so no further issuers can be found) and it is not in any
of the trust stores, so verification fails.

Perhaps we could document the errors in a bit more depth, but I don't
think it is possible to tell you that your CApath was missing some
specific symlink.

--
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

OpenSSL - User mailing list
In reply to this post by Michael Wojcik
On Fri, 2018-11-30 at 23:55 +0000, Michael Wojcik wrote:

> > "Self-signed certificate in certificate chain" does not to me
> > > convey "No
> > > certificate hash links" (or "CA certificate not found in hash
> > > links").
> >
> Viktor's points are all good ones, but considering how often this
> particular message causes confusion for users and developers (at
> least in my experience), I wonder whether changing the text to
> "Untrusted self-signed certificate in certificate chain" would help.
> That would suggest to the user that the problem might be an issue
> with the trust store.
>
My .02:  The message "Self-signed certificate in certificate chain"
does make it sound like OpenSSL rejected the certificate precisely
because it's self signed, and not because it's an untrusted root
certificate.  I would suggest a less misleading reason, at least.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
In reply to this post by Charles Mills
> On Nov 30, 2018, at 7:25 PM, Charles Mills <[hidden email]> wrote:
>
> Well, it ought then to say "I couldn't find any certificates at all" rather
> than "I found a self-signed certificate" when it did not.

A self-signed certificate was found, in the chain being verified.
The message should likely be more clear (perhaps along the lines
suggested by Michael Wojcik), but it is not incorrect.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
In reply to this post by OpenSSL - User mailing list
> On Nov 30, 2018, at 7:33 PM, Sands, Daniel via openssl-users <[hidden email]> wrote:
>
>> Viktor's points are all good ones, but considering how often this
>> particular message causes confusion for users and developers (at
>> least in my experience), I wonder whether changing the text to
>> "Untrusted self-signed certificate in certificate chain" would help.
>> That would suggest to the user that the problem might be an issue
>> with the trust store.
>>
> My .02:  The message "Self-signed certificate in certificate chain"
> does make it sound like OpenSSL rejected the certificate precisely
> because it's self signed, and not because it's an untrusted root
> certificate.  I would suggest a less misleading reason, at least.

Are there compatibility concerns around changing error message
text for which users may have created regex patterns in scripts?

I agree the text could be better, but not sure in what releases
if any to change the text, since the change may cause issues
for some users.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Viktor Dukhovni
> Sent: Friday, November 30, 2018 18:38
>
> Are there compatibility concerns around changing error message
> text for which users may have created regex patterns in scripts?
>
> I agree the text could be better, but not sure in what releases
> if any to change the text, since the change may cause issues
> for some users.

Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Daniel Kahn Gillmor
In reply to this post by Viktor Dukhovni
On Fri 2018-11-30 20:38:01 -0500, Viktor Dukhovni wrote:
> Are there compatibility concerns around changing error message
> text for which users may have created regex patterns in scripts?

I advocate making the error message in english more comprehensible.

Michael Wojcik's suggestion of "Untrusted self-signed certificate in
certificate chain" more accurately reflects the semantics of this error
message.

The error message is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, whic his
#defined in x509_vfy.h as 19, and 19 even shows up in the specific error
message.  Scripts should be keying on this value, not on the
human-readable text.

Scripts which expect certain human-readable text will fail when the text
is localized (not done in OpenSSL yet, but perhaps it should be at some
point, it certainly is in glibc and other libraries), or when the text
is improved to be more accurate (this case).

We shouldn't let those scripts stop us from improving OpenSSL going
forward at least, though i can understand if folks are more reluctant to
change old verisions in a point release.

       --dkg

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills
In reply to this post by Viktor Dukhovni
I could easily be wrong -- you guys know more about certificates than I ever
will -- but I do not *think* there is any self-signed certificate in this
scenario. There should be exactly two certificates in this discussion:

1. The client certificate. It is not self-signed (in the correct sense of
the term, as opposed to the erroneous popular sense): it is signed by my
"in-house" CA.

2. The CA certificate. Yes, it is a root and self-signed, but you didn't
find it, right? (Because of my error in not running the hash utility.) If
you found it what is the problem? Does the hashing process imply trust? Then
the error message should be "untrusted CA certificate," no? (There is only
one certificate in the CApath folder.)

Am I missing something?

Charles


-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Viktor Dukhovni
Sent: Friday, November 30, 2018 4:37 PM
To: [hidden email]
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

> On Nov 30, 2018, at 7:25 PM, Charles Mills <[hidden email]> wrote:
>
> Well, it ought then to say "I couldn't find any certificates at all"
rather
> than "I found a self-signed certificate" when it did not.

A self-signed certificate was found, in the chain being verified.
The message should likely be more clear (perhaps along the lines
suggested by Michael Wojcik), but it is not incorrect.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:

> I could easily be wrong -- you guys know more about certificates than I ever
> will -- but I do not *think* there is any self-signed certificate in this
> scenario. There should be exactly two certificates in this discussion:
>
> 1. The client certificate. It is not self-signed (in the correct sense of
> the term, as opposed to the erroneous popular sense): it is signed by my
> "in-house" CA.
>
> 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> find it, right?

You seem to be stuck on a narrow meaning of the word "found".  The
self-signed certificate *was* found, but not in the trust-store.

It was found in the chain of certificates sent by the client to the
server for validation.  That's what the error message is telling
you, the chain building algorithm found a self-signed certificate
in the peer's chain, without finding a suitable trust-anchor in the
trust-store.  So validation cannot proceed further and fails.

> (Because of my error in not running the hash utility.)
> If you found it what is the problem? ...

Everything from here down is based on an incorrect reading of the
word "found".

> Am I missing something?

Yes: "found" != "found in the trust store"

Think "encountered" rather than "found" if that's more clear.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
In reply to this post by Michael Wojcik
On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:

> > Are there compatibility concerns around changing error message
> > text for which users may have created regex patterns in scripts?
> >
> > I agree the text could be better, but not sure in what releases
> > if any to change the text, since the change may cause issues
> > for some users.
>
> Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release.

Care to create a PR against the "master" branch?  Something
along the lines of:

    "Provided chain ends with untrusted self-signed certificate"

or better.  Here "untrusted" might mean not trusted for the requested
purpose, but more precise is not always more clear.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills
In reply to this post by Viktor Dukhovni
> It was found in the chain of certificates sent by the client to the
> server for validation

Again, I could be wrong but that is my point. I do not think the client is
sending a chain of certificates, but rather only one, the CA-signed client
certificate. (I wrote and configured the client, and generated the
certificate, and loaded it into the certificate store.)

Charles

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Viktor Dukhovni
Sent: Saturday, December 1, 2018 12:47 PM
To: [hidden email]
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:

> I could easily be wrong -- you guys know more about certificates than I
ever
> will -- but I do not *think* there is any self-signed certificate in this
> scenario. There should be exactly two certificates in this discussion:
>
> 1. The client certificate. It is not self-signed (in the correct sense of
> the term, as opposed to the erroneous popular sense): it is signed by my
> "in-house" CA.
>
> 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> find it, right?

You seem to be stuck on a narrow meaning of the word "found".  The
self-signed certificate *was* found, but not in the trust-store.

It was found in the chain of certificates sent by the client to the
server for validation.  That's what the error message is telling

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Kyle Hamilton
Wireshark and other packet capture tools can help you determine
exactly what's in the chain sent by the client.  If the self-signed
root isn't being sent, then the "self-signed certificate in
certificate chain" error should never have been sent, and a bug report
on that issue would be appropriate.

If the root is being sent, though, having some idea of what you're
doing when constructing your sessions could help us to figure out why
it is when you didn't intend it to be.

-Kyle H
On Sat, Dec 1, 2018 at 1:47 PM Charles Mills <[hidden email]> wrote:

>
> > It was found in the chain of certificates sent by the client to the
> > server for validation
>
> Again, I could be wrong but that is my point. I do not think the client is
> sending a chain of certificates, but rather only one, the CA-signed client
> certificate. (I wrote and configured the client, and generated the
> certificate, and loaded it into the certificate store.)
>
> Charles
>
> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf Of
> Viktor Dukhovni
> Sent: Saturday, December 1, 2018 12:47 PM
> To: [hidden email]
> Subject: Re: [openssl-users] Self-signed error when using
> SSL_CTX_load_verify_locations CApath
>
> On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:
>
> > I could easily be wrong -- you guys know more about certificates than I
> ever
> > will -- but I do not *think* there is any self-signed certificate in this
> > scenario. There should be exactly two certificates in this discussion:
> >
> > 1. The client certificate. It is not self-signed (in the correct sense of
> > the term, as opposed to the erroneous popular sense): it is signed by my
> > "in-house" CA.
> >
> > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> > find it, right?
>
> You seem to be stuck on a narrow meaning of the word "found".  The
> self-signed certificate *was* found, but not in the trust-store.
>
> It was found in the chain of certificates sent by the client to the
> server for validation.  That's what the error message is telling
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills
Sorry, I do not have a packet capture tool configured.

I have a verify callback with a lot of trace messages. I can see that it is
only entered once; X509_STORE_CTX_get_error_depth() is 1.

Does that tell us anything useful?

Charles


-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Kyle Hamilton
Sent: Saturday, December 1, 2018 10:29 PM
To: openssl-users
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

Wireshark and other packet capture tools can help you determine
exactly what's in the chain sent by the client.  If the self-signed
root isn't being sent, then the "self-signed certificate in
certificate chain" error should never have been sent, and a bug report
on that issue would be appropriate.

If the root is being sent, though, having some idea of what you're
doing when constructing your sessions could help us to figure out why
it is when you didn't intend it to be.

-Kyle H
On Sat, Dec 1, 2018 at 1:47 PM Charles Mills <[hidden email]> wrote:

>
> > It was found in the chain of certificates sent by the client to the
> > server for validation
>
> Again, I could be wrong but that is my point. I do not think the client is
> sending a chain of certificates, but rather only one, the CA-signed client
> certificate. (I wrote and configured the client, and generated the
> certificate, and loaded it into the certificate store.)
>
> Charles
>
> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf
Of

> Viktor Dukhovni
> Sent: Saturday, December 1, 2018 12:47 PM
> To: [hidden email]
> Subject: Re: [openssl-users] Self-signed error when using
> SSL_CTX_load_verify_locations CApath
>
> On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:
>
> > I could easily be wrong -- you guys know more about certificates than I
> ever
> > will -- but I do not *think* there is any self-signed certificate in
this
> > scenario. There should be exactly two certificates in this discussion:
> >
> > 1. The client certificate. It is not self-signed (in the correct sense
of

> > the term, as opposed to the erroneous popular sense): it is signed by my
> > "in-house" CA.
> >
> > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> > find it, right?
>
> You seem to be stuck on a narrow meaning of the word "found".  The
> self-signed certificate *was* found, but not in the trust-store.
>
> It was found in the chain of certificates sent by the client to the
> server for validation.  That's what the error message is telling
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Viktor Dukhovni
> On Dec 2, 2018, at 7:43 PM, Charles Mills <[hidden email]> wrote:
>
> Sorry, I do not have a packet capture tool configured.
>
> I have a verify callback with a lot of trace messages. I can see that it is
> only entered once; X509_STORE_CTX_get_error_depth() is 1.
>
> Does that tell us anything useful?

No further information is required.  Your client certificate chain
includes a self-signed root CA as a direct issuer of its certificate.
That root CA was not found in the server's trust store.

Someone should submit a pull request to improve the error message, if
they've not done so yet.

--
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Michael Wojcik
In reply to this post by Viktor Dukhovni
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Viktor Dukhovni
> Sent: Saturday, December 01, 2018 13:53
>
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
>
> > > Are there compatibility concerns around changing error message
> > > text for which users may have created regex patterns in scripts?
> > >
> > > I agree the text could be better, but not sure in what releases
> > > if any to change the text, since the change may cause issues
> > > for some users.
> >
> > Sure, this is always a concern. Maybe the change could be considered for
> > OpenSSL 3.0, since that's a major release.
>
> Care to create a PR against the "master" branch?  Something
> along the lines of:
>
>     "Provided chain ends with untrusted self-signed certificate"
>
> or better.  Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.

I should be able to do that. (My OpenSSL contributor paperwork is still in progress, but since this PR wouldn't include any actual code, I don't think I need to wait for that.)

May be a few days before I get a chance to do it.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills
I appreciate it. OpenSSL is of course a great product but it can be a little
mystifying to debug.

I am a developer and I understand the problem of "layering" and
virtualization, where the component that realizes there is a problem is so
far removed that it does not know what the underlying real problem is. That
said, I would suggest that "Provided chain ends with untrusted self-signed
certificate" still does not really convey "no relevant CA certificate found
in the provided path."

Charles


-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of
Michael Wojcik
Sent: Monday, December 3, 2018 7:22 AM
To: [hidden email]
Subject: Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using
SSL_CTX_load_verify_locations CApath

> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Viktor Dukhovni
> Sent: Saturday, December 01, 2018 13:53
>
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
>
> > > Are there compatibility concerns around changing error message
> > > text for which users may have created regex patterns in scripts?
> > >
> > > I agree the text could be better, but not sure in what releases
> > > if any to change the text, since the change may cause issues
> > > for some users.
> >
> > Sure, this is always a concern. Maybe the change could be considered for
> > OpenSSL 3.0, since that's a major release.
>
> Care to create a PR against the "master" branch?  Something
> along the lines of:
>
>     "Provided chain ends with untrusted self-signed certificate"
>
> or better.  Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.

I should be able to do that. (My OpenSSL contributor paperwork is still in
progress, but since this PR wouldn't include any actual code, I don't think
I need to wait for that.)

May be a few days before I get a chance to do it.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
12