> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf > Of Viktor Dukhovni > Sent: Friday, November 30, 2018 16:35 > > > On Nov 30, 2018, at 5:00 PM, Charles Mills <charlesm@xxxxxxx> wrote: > > > > "Self-signed certificate in certificate chain" does not to me convey "No > > certificate hash links" (or "CA certificate not found in hash links"). > > That's not really possible, because the code that's doing certificate > validation works with an abstract certificate store API, and does not > know whether a particular certificate should or should not have been > listed a trust-anchor in some store. > > All we know is that we've reached a self-signed certificate in the > chain (so no further issuers can be found) and it is not in any > of the trust stores, so verification fails. > > Perhaps we could document the errors in a bit more depth, but I don't > think it is possible to tell you that your CApath was missing some > specific symlink. Viktor's points are all good ones, but considering how often this particular message causes confusion for users and developers (at least in my experience), I wonder whether changing the text to "Untrusted self-signed certificate in certificate chain" would help. That would suggest to the user that the problem might be an issue with the trust store. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
