Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/12/2018 21:53, Viktor Dukhovni wrote:
On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote:

Are there compatibility concerns around changing error message
text for which users may have created regex patterns in scripts?

I agree the text could be better, but not sure in what releases
if any to change the text, since the change may cause issues
for some users.
Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release.
Care to create a PR against the "master" branch?  Something
along the lines of:

     "Provided chain ends with untrusted self-signed certificate"

or better.  Here "untrusted" might mean not trusted for the requested
purpose, but more precise is not always more clear.

Perhaps s/untrusted/unknown/ as in

"Provided chain ends with unknown self-signed certificate".

Or even better, two different error codes:

 - "Only self-signed end certificate provided"

 - "Provided chain ends with unknown root certificate"

(Deciding which one keeps the old error code is left as
 an exercise).

(Distinguishing a self-siged end cert from a self-signed
 root when no other certificate is provided is also left
 as an exercise).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux