On 03/23/2012 07:52 AM, Stephen Henson via RT wrote:
>> [[email protected] - Wed Mar 21 10:24:07 2012]:
>>
>>
>> A verification callback registered with SSL_CTX_set_verify() gets
>> called for most validation errors, as expected. The callback always
>> returns "1" (keep validating) result so that it can see all errors.
>>
>> However, after discovering X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
>> error, OpenSSL internal_verify() stops calling the callback due to this
>> code in crypto/x509/x509_vfy.c:
> The reason for that is that any "errors" after that point are pretty
> bogus. You only get that error if the certificate "chain" consists of
> one single certificate and it is not self signed. That means its
> signature can't be verified and it could contain anything.
>
> The meaningful errors about being unable to find the issuer will have
> been indicated earlier.
Hi Steve,
Thank you for looking at this issue! If my arguments below do not
convince your that a code change is a good idea, please fix the
SSL_CTX_set_verify() manual page so that others do not get caught in the
same "all errors" trap.
IMHO, it is the callback function that should decide what errors are
"pretty bogus" and what errors are "meaningful" even though most
callbacks will probably not care if most errors are hidden from them for
one reason or another.
In our rare case, errors such as "expired certificate" are meaningful
even if the certificate signature cannot be verified.
Please consider reporting all errors to the callback as long as it does
no harm. This will minimize the need to re-implement the whole
verification function (via SSL_CTX_set_cert_verify_callback) or patching
OpenSSL code, both of which are likely to cause problems.
Thank you,
Alex.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
