Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-03 Thread Viktor Dukhovni
> On Feb 3, 2016, at 4:18 PM, Daniel Kahn Gillmor via RT > wrote: > > if the cert at the top of the chain is self-signed, it's entirely > reasonable to say that the expiration date is meaningful. For example, > I could distribute a certificate for a root authority which i

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-03 Thread Viktor Dukhovni via RT
> On Feb 3, 2016, at 4:18 PM, Daniel Kahn Gillmor via RT > wrote: > > if the cert at the top of the chain is self-signed, it's entirely > reasonable to say that the expiration date is meaningful. For example, > I could distribute a certificate for a root authority which i

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-03 Thread Daniel Kahn Gillmor via RT
On Mon 2016-02-01 18:46:20 -0500, Viktor Dukhovni wrote: > On Mon, Feb 01, 2016 at 11:38:49PM +, Alex Rousskov via RT wrote: > >> On 02/01/2016 02:32 PM, openssl-dev@openssl.org via RT wrote: >> >> > Please be more explicit about what errors you feel were not reported. >> >> One specific

[openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Rich Salz via RT
there does not seem to be anything for openssl to do here. also the verify_chain code is changigng a lot in 1.1 -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Viktor Dukhovni
On Mon, Feb 01, 2016 at 08:34:44PM +, Alex Rousskov via RT wrote: > On 02/01/2016 12:40 PM, Rich Salz via RT wrote: > > there does not seem to be anything for openssl to do here. > > OpenSSL can do one of these two things (at least): > > * Start reporting

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Alex Rousskov via RT
On 02/01/2016 12:40 PM, Rich Salz via RT wrote: > there does not seem to be anything for openssl to do here. OpenSSL can do one of these two things (at least): * Start reporting post-X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE errors to callbacks [instead of hiding them]. * Adjust

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Viktor Dukhovni
On Mon, Feb 01, 2016 at 11:38:49PM +, Alex Rousskov via RT wrote: > On 02/01/2016 02:32 PM, openssl-dev@openssl.org via RT wrote: > > > Please be more explicit about what errors you feel were not reported. > > One specific error mentioned during the previous discussion was "expired >

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Alex Rousskov via RT
On 02/01/2016 02:32 PM, openssl-dev@openssl.org via RT wrote: > Please be more explicit about what errors you feel were not reported. One specific error mentioned during the previous discussion was "expired certificate". This was ~four years ago, so my recollection may be faulty, but I believe

[openssl.org #2768]: Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2012-11-23 Thread Arnis Par?ovs via RT
However, after discovering X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE error, OpenSSL internal_verify() stops calling the callback due to this code in crypto/x509/x509_vfy.c: The reason for that is that any errors after that point are pretty bogus. You only get that error if the certificate

Re: [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2012-04-04 Thread Alex Rousskov
On 03/23/2012 07:52 AM, Stephen Henson via RT wrote: [rouss...@measurement-factory.com - Wed Mar 21 10:24:07 2012]: A verification callback registered with SSL_CTX_set_verify() gets called for most validation errors, as expected. The callback always returns 1 (keep validating) result so

Re: [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2012-04-03 Thread Alex Rousskov via RT
On 03/23/2012 07:52 AM, Stephen Henson via RT wrote: [rouss...@measurement-factory.com - Wed Mar 21 10:24:07 2012]: A verification callback registered with SSL_CTX_set_verify() gets called for most validation errors, as expected. The callback always returns 1 (keep validating) result so

[openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2012-03-23 Thread Stephen Henson via RT
[rouss...@measurement-factory.com - Wed Mar 21 10:24:07 2012]: Hello, A verification callback registered with SSL_CTX_set_verify() gets called for most validation errors, as expected. The callback always returns 1 (keep validating) result so that it can see all errors. However,

[openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2012-03-21 Thread Alex Rousskov via RT
Hello, A verification callback registered with SSL_CTX_set_verify() gets called for most validation errors, as expected. The callback always returns 1 (keep validating) result so that it can see all errors. However, after discovering X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE error, OpenSSL