Re: [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/12/2018 00:50, Viktor Dukhovni wrote:
On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:

Care to create a PR against the "master" branch?  Something
along the lines of:

      "Provided chain ends with untrusted self-signed certificate"

or better.  Here "untrusted" might mean not trusted for the requested
purpose, but more precise is not always more clear.
Perhaps s/untrusted/unknown/ as in

"Provided chain ends with unknown self-signed certificate".
I don't see why "unknown" is better, it could under certain conditions
be "known", but not trusted.
Unknown would differ from untrusted in cases where there is some
setting indicating that some certificates in the CA directory are
trusted only for some/no purposes.

This could (in current or future code) represent things such as the
trust bits in "Trusted Certificate" files.

Or even better, two different error codes:

  - "Only self-signed end certificate provided"

  - "Provided chain ends with unknown root certificate"
That already exists:

   crypto/x509/x509_txt.c:

     case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
         return "self signed certificate";
     case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
         return "self signed certificate in certificate chain";

In that case, maybe change the text to:

  "Provided chain ends with an unknown and thus untrusted root certificate"

This would capture both the fact that the root is unknown (not in
the CA stores configured/loaded) and that this is the specific
fact causing it to be untrusted.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux