diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-03-03 23:33:51 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-03-03 23:33:51 +0000 |
commit | bdfc0e284c89dd5781259cc19aa264aded538492 (patch) | |
tree | 79f15883a6bd6babfa10dbdc3dac022b103b1084 | |
parent | 12c56e4888897c510b611d482d329eed12fab6cb (diff) | |
download | openssl-new-bdfc0e284c89dd5781259cc19aa264aded538492.tar.gz |
For self signed root only indicate one error.
-rw-r--r-- | crypto/x509/x509_vfy.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 5f91b01666..0693c609ce 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -366,8 +366,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* If explicitly rejected error */ if (i == X509_TRUST_REJECTED) goto end; - /* If not explicitly trusted then indicate error */ - if (i != X509_TRUST_TRUSTED) + /* If not explicitly trusted then indicate error unless it's + * a single self signed certificate in which case we've indicated + * an error already and set bad_chain == 1 + */ + if (i != X509_TRUST_TRUSTED && !bad_chain) { if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { |