> [rouss...@measurement-factory.com - Wed Mar 21 10:24:07 2012]: > > Hello, > > A verification callback registered with SSL_CTX_set_verify() gets > called for most validation errors, as expected. The callback always > returns "1" (keep validating) result so that it can see all errors. > > However, after discovering X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE > error, OpenSSL internal_verify() stops calling the callback due to this > code in crypto/x509/x509_vfy.c: >
The reason for that is that any "errors" after that point are pretty bogus. You only get that error if the certificate "chain" consists of one single certificate and it is not self signed. That means its signature can't be verified and it could contain anything. The meaningful errors about being unable to find the issuer will have been indicated earlier. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
