Re: openssl verify always returns 0 (success) to shell
OpenSSL app worked as expected, and that is what 0 means (EXIT_SUCCES) in C programming. The fact that verification wasn't successful does not mean OpenSSL app didn't work correctly. I think you either have to write your own app (or maybe just modifiy OpenSSL verify app to return what you want) or parse the textual return of the app (which is not very good, IMO). 2012/11/2 Ken Goldman kgold...@us.ibm.com In testing my regression tests, I supply a bad CA certificate to force the verify to fail. I use: openssl verify -CAfile cacert.pem cert.pem It printed this, which I expected. error 20 at 0 depth lookup: ... However, when my bash script checks the return code, it is still 0. I was hoping for a non-zero error return to catch real errors later. A bug? If not, what's the correct way to capture errors in a shell script? __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Felipe Menegola Blauth
Re: openssl verify always returns 0 (success) to shell
I suppose I'll have to write my own program. :-) IMHO, this is a borderline bug. If it returns success when the verify fails, when would it return failure? It feels like a waste of a useful return code. Most programs return non-zero for a failure. E.g., diff returns non-zero if there's a difference. grep return non-zero if it doesn't find anything. Non-zero doesn't mean 'the app didn't work correctly.' It means something useful specific to the application. In the case of 'openssl verify', what makes sense to me would be: 0 - verified non-zero - didn't verify On 11/4/2012 10:51 AM, Felipe Blauth wrote: OpenSSL app worked as expected, and that is what 0 means (EXIT_SUCCES) in C programming. The fact that verification wasn't successful does not mean OpenSSL app didn't work correctly. I think you either have to write your own app (or maybe just modifiy OpenSSL verify app to return what you want) or parse the textual return of the app (which is not very good, IMO). 2012/11/2 Ken Goldman kgold...@us.ibm.com mailto:kgold...@us.ibm.com In testing my regression tests, I supply a bad CA certificate to force the verify to fail. I use: openssl verify -CAfile cacert.pem cert.pem It printed this, which I expected. error 20 at 0 depth lookup: ... However, when my bash script checks the return code, it is still 0. I was hoping for a non-zero error return to catch real errors later. A bug? If not, what's the correct way to capture errors in a shell script? __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org -- Felipe Menegola Blauth __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl verify always returns 0 (success) to shell
Your argument makes sense, I haven't written many bash scripts so far and maybe missed the point. The fact that a program could return a non-zero does not necessarily implies it is returning 1 (EXIT_FAILURE). 1 could be for an unexpected failure and other numbers could mean something else. Speaking the true, I've just rememberd that I've already did that to interface with a php interface (I know the best way would've been a socket protocol or something else, but oh well). Maybe you just need to adapt the app at openssl root folder/apps/verify.c, because I have almost sure it only returns 0 or 1. 2012/11/4 Ken Goldman kgold...@us.ibm.com I suppose I'll have to write my own program. :-) IMHO, this is a borderline bug. If it returns success when the verify fails, when would it return failure? It feels like a waste of a useful return code. Most programs return non-zero for a failure. E.g., diff returns non-zero if there's a difference. grep return non-zero if it doesn't find anything. Non-zero doesn't mean 'the app didn't work correctly.' It means something useful specific to the application. In the case of 'openssl verify', what makes sense to me would be: 0 - verified non-zero - didn't verify On 11/4/2012 10:51 AM, Felipe Blauth wrote: OpenSSL app worked as expected, and that is what 0 means (EXIT_SUCCES) in C programming. The fact that verification wasn't successful does not mean OpenSSL app didn't work correctly. I think you either have to write your own app (or maybe just modifiy OpenSSL verify app to return what you want) or parse the textual return of the app (which is not very good, IMO). 2012/11/2 Ken Goldman kgold...@us.ibm.com mailto:kgold...@us.ibm.com In testing my regression tests, I supply a bad CA certificate to force the verify to fail. I use: openssl verify -CAfile cacert.pem cert.pem It printed this, which I expected. error 20 at 0 depth lookup: ... However, when my bash script checks the return code, it is still 0. I was hoping for a non-zero error return to catch real errors later. A bug? If not, what's the correct way to capture errors in a shell script? __**__** __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.**org openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org -- Felipe Menegola Blauth __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Felipe Menegola Blauth
openssl verify always returns 0 (success) to shell
In testing my regression tests, I supply a bad CA certificate to force the verify to fail. I use: openssl verify -CAfile cacert.pem cert.pem It printed this, which I expected. error 20 at 0 depth lookup: ... However, when my bash script checks the return code, it is still 0. I was hoping for a non-zero error return to catch real errors later. A bug? If not, what's the correct way to capture errors in a shell script? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
