On 27/03/2014 13:01, Emilia Kasper wrote: > > > > On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson > <shen...@opensslfoundation.com <mailto:shen...@opensslfoundation.com>> wrote: > > On 26/03/2014 13:38, Emilia Kasper wrote: > > > > On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson > > <shen...@opensslfoundation.com <mailto:shen...@opensslfoundation.com> > <mailto:shen...@opensslfoundation.com > <mailto:shen...@opensslfoundation.com>>> wrote: > > > > > > Well if you set SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR then it will reorder > the chain > as best it can and just not fail if the chain is incomplete or broken in > any > other way. That's how the on the fly path building works at present. > > Personally I'd prefer it to return errors. That will catch other common > problems > like expiry of any certificate in the chain. > > > Except it'll never get to checking expiry if there's no root cert. > > I think I'd prefer to ignore but log build errors - but that I can't do > because > the SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR flag clears the error stack. >
I've updated it to not clear errors from the stack by default and to return 2 if there is a verification failure. That can be used to log a warning. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
