The branch master has been updated via 9b10986d7742a5105ac8c5f4eba8b103caf57ae9 (commit) from 807989df56988da92560bce4706d91d7c1371783 (commit)
- Log ----------------------------------------------------------------- commit 9b10986d7742a5105ac8c5f4eba8b103caf57ae9 Author: Richard Levitte <levi...@openssl.org> Date: Wed Jan 16 21:54:48 2019 +0100 apps/verify.c: Change an old comment to clarify what the callback does Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/7922) ----------------------------------------------------------------------- Summary of changes: apps/verify.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apps/verify.c b/apps/verify.c index 3768fed..2f66912 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx) cert_error, X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(cert_error)); + + /* + * Pretend that some errors are ok, so they don't stop further + * processing of the certificate chain. Setting ok = 1 does this. + * After X509_verify_cert() is done, we verify that there were + * no actual errors, even if the returned value was positive. + */ switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(ctx); /* fall thru */ case X509_V_ERR_CERT_HAS_EXPIRED: - - /* - * since we are just checking the certificates, it is ok if they - * are self signed. But we should still warn the user. - */ + /* Continue even if the leaf is a self signed cert */ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: /* Continue after extension errors too */ case X509_V_ERR_INVALID_CA: _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits