Well, it ought then to say "I couldn't find any certificates at all" rather than "I found a self-signed certificate" when it did not. I used to manage product developers. Sometimes I would point out a need for product improvement and they would say "the code doesn't work that way." I would reply "I understand. I'm asking you to change the code." Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni Sent: Friday, November 30, 2018 3:35 PM To: openssl-users@xxxxxxxxxxx Subject: Re: Self-signed error when using SSL_CTX_load_verify_locations CApath > On Nov 30, 2018, at 5:00 PM, Charles Mills <charlesm@xxxxxxx> wrote: > > "Self-signed certificate in certificate chain" does not to me convey "No certificate hash links" (or "CA certificate not found in hash links"). That's not really possible, because the code that's doing certificate validation works with an abstract certificate store API, and does not know whether a particular certificate should or should not have been listed a trust-anchor in some store. All we know is that we've reached a self-signed certificate in the chain (so no further issuers can be found) and it is not in any of the trust stores, so verification fails. Perhaps we could document the errors in a bit more depth, but I don't think it is possible to tell you that your CApath was missing some specific symlink. -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
