For self signed root only indicate one error.

(cherry picked from commit bdfc0e284c89dd5781259cc19aa264aded538492)
author: Dr. Stephen Henson <steve@openssl.org> 2014-03-03 23:33:51 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-03-03 23:36:46 +0000
commit: 315cd871c4b61f002f658de0ee427f2f4221aa7c (patch)
tree: 10e69b41463b4814b21a5f786146bc0a80c54956 /crypto/x509
parent: 5693a30813a031d3921a016a870420e7eb93ec90 (diff)
download: openssl-315cd871c4b61f002f658de0ee427f2f4221aa7c.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 869a4f29e8..32b07a0306 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -366,8 +366,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	/* If explicitly rejected error */
 	if (i == X509_TRUST_REJECTED)
 		goto end;
-	/* If not explicitly trusted then indicate error */
-	if (i != X509_TRUST_TRUSTED)
+	/* If not explicitly trusted then indicate error unless it's
+	 * a single self signed certificate in which case we've indicated
+	 * an error already and set bad_chain == 1
+	 */
+	if (i != X509_TRUST_TRUSTED && !bad_chain)
 		{
 		if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
 			{
author	Dr. Stephen Henson <steve@openssl.org>	2014-03-03 23:33:51 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-03-03 23:36:46 +0000
commit	315cd871c4b61f002f658de0ee427f2f4221aa7c (patch)
tree	10e69b41463b4814b21a5f786146bc0a80c54956 /crypto/x509
parent	5693a30813a031d3921a016a870420e7eb93ec90 (diff)
download	openssl-315cd871c4b61f002f658de0ee427f2f4221aa7c.tar.gz