From f76d8c47470094a5cb14e937ef3c30db1d97389b Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 17 Nov 1999 01:20:29 +0000
Subject: Modify verify code to handle self signed certificates.

---
 apps/verify.c | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

(limited to 'apps')

diff --git a/apps/verify.c b/apps/verify.c
index 093fe09f2c..840fda9561 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -206,21 +206,18 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 
 	if (!ok)
 		{
-		/* since we are just checking the certificates, it is
-		 * ok if they are self signed. */
-		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
-			ok=1;
-		else
-			{
-			X509_NAME_oneline(
+		X509_NAME_oneline(
 				X509_get_subject_name(ctx->current_cert),buf,256);
-			printf("%s\n",buf);
-			printf("error %d at %d depth lookup:%s\n",ctx->error,
-				ctx->error_depth,
-				X509_verify_cert_error_string(ctx->error));
-			if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED)
-				ok=1;
-			}
+		printf("%s\n",buf);
+		printf("error %d at %d depth lookup:%s\n",ctx->error,
+			ctx->error_depth,
+			X509_verify_cert_error_string(ctx->error));
+		if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;
+		/* since we are just checking the certificates, it is
+		 * ok if they are self signed. But we should still warn
+		 * the user.
+ 		 */
+		if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
 		}
 	if (!v_verbose)
 		ERR_clear_error();
-- 
cgit v1.2.1