Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I appreciate it. OpenSSL is of course a great product but it can be a little
mystifying to debug.

I am a developer and I understand the problem of "layering" and
virtualization, where the component that realizes there is a problem is so
far removed that it does not know what the underlying real problem is. That
said, I would suggest that "Provided chain ends with untrusted self-signed
certificate" still does not really convey "no relevant CA certificate found
in the provided path."

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of
Michael Wojcik
Sent: Monday, December 3, 2018 7:22 AM
To: openssl-users@xxxxxxxxxxx
Subject: Re:  [EXTERNAL] Re: Self-signed error when using
SSL_CTX_load_verify_locations CApath

> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf
> Of Viktor Dukhovni
> Sent: Saturday, December 01, 2018 13:53
>
> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:
>
> > > Are there compatibility concerns around changing error message
> > > text for which users may have created regex patterns in scripts?
> > >
> > > I agree the text could be better, but not sure in what releases
> > > if any to change the text, since the change may cause issues
> > > for some users.
> >
> > Sure, this is always a concern. Maybe the change could be considered for
> > OpenSSL 3.0, since that's a major release.
>
> Care to create a PR against the "master" branch?  Something
> along the lines of:
>
>     "Provided chain ends with untrusted self-signed certificate"
>	
> or better.  Here "untrusted" might mean not trusted for the requested
> purpose, but more precise is not always more clear.

I should be able to do that. (My OpenSSL contributor paperwork is still in
progress, but since this PR wouldn't include any actual code, I don't think
I need to wait for that.)

May be a few days before I get a chance to do it.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux