For self signed root only indicate one error.

(Imported from upstream's bdfc0e284c89dd5781259cc19aa264aded538492.)
2014-06-20 12:00:00 -07:00 · 2014-06-20 12:00:00 -07:00 · e0ddf2706a
commit e0ddf2706a
parent 8f5b6b9b0f
1 changed files with 5 additions and 2 deletions
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@ -363,8 +363,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	/* If explicitly rejected error */
 	if (i == X509_TRUST_REJECTED)
 		goto end;
-	/* If not explicitly trusted then indicate error */
-	if (i != X509_TRUST_TRUSTED)
+	/* If not explicitly trusted then indicate error unless it's
+	 * a single self signed certificate in which case we've indicated
+	 * an error already and set bad_chain == 1
+	 */
+	if (i != X509_TRUST_TRUSTED && !bad_chain)
 		{
 		if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
 			{