A little late, but ACK from me. -Steffan
From: Nicholas Hall [mailto:ngh...@gmail.com] Sent: donderdag 22 augustus 2013 21:57 To: openvpn-devel@lists.sourceforge.net Subject: [Openvpn-devel] tls_ctx_load_ca: Improve certificate error messages >From https://github.com/OpenVPN/openvpn/pull/4 (I am not the patch author) If a CA certificate file includes intermediate certificates, and any of them fail to verify, the current code will file with "Cannot load CA certificate file". Instead, generate a more specific error message identifying the specific sub-certificate(s) which did not validate. I make no claim that I really understand the OpenVPN code, but here's the scenario that led to this patch: I was using the "pile of certificates" handed to me by StartSSL, and one of them was expired, but unnecessary to the verification chain. So when I tried to verify using openssl, it worked fine, but OpenVPN complained with a not-very-helpful "Cannot load CA certificate file." The following patch was what I ended up doing to figure out what was going wrong. I have the suspicion that there are more complex procedures for submitting a patch that I don't know about, but I figured I'd start like this to see if the change was interesting enough to you for me to pursue it further.
