Hi JJK
at 10.04.2014 09:27, Jan Just Keijser wrote:
> Hi Erich,
...>>
> glad to hear that this has been resolved. I agree that the error message
> is bogus, but this is what you get back from OpenSSL - and it's quite
> hard to tell whether this is due to a missing CA cert, an untrusted CA
> cert or whether it is simply a self-signed certificate. I guess it could
> be added as an extended check but it's not something you'd want to do
> for every client connecting to a server.
I did some digging in the error code and came up with
if (subject)
{
/* Remote site specified a certificate, but it's not correct */
msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
ctx->error_depth,
X509_verify_cert_error_string (ctx->error),
subject);
}
this is in ssl_verify_openssl.c and it shows that the error is simply
the stuff returned from X509_verify_cert_error_string.
I _guess_ this is corresponding to the following error code
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
certificate chain
the certificate chain could be built up using the untrusted
certificates but the root could not be found locally.
It appears as if the ssl error string function throws an incomplete
error String, it might be not that difficult to decode it and make it
more clear.
cheers
Erich
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
