Certificate is not issued by trusted CA: failed with openssl 1.1.1i

[kroeckx]

openssl/openssl#11359 changed behaviour in case the callback returns true in case of X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE. This has as result that you know get the following error:

Testing package ssl:ssl ................
Script test_ssl.pl failed: Unknown message: exit(1)
% PL-Unit: ssl_options ....... done
% PL-Unit: ssl_server . done
% PL-Unit: ssl_keys ..... done
% PL-Unit: ssl_certificates .............
ERROR: /usr/lib/swi-prolog/test/packages/ssl/test_ssl.pl:629:
	test Certificate is not issued by trusted CA: failed

.................. done

Instead of [unknown_issuer] it now gets [unknown_issuer,verified].

I'm not sure yet if this will stay like this.

[JanWielemaker]

Thanks. Applied your patch on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977657

Bit dubious, notably as there is a verified in the list ... For now it is the only sensible work-around I can see.

[kroeckx]

The callback allows you to override errors during verification. The test is doing that. You see that in other tests it also has things like "hostname_mismatch, verified". For the unknown_issuer error OpenSSL used to stop, instead of continuing like in the other cases.

[JanWielemaker]

Thanks for the clarification! Seems we are fairly safe :)