Tokens and Messages

 

If any of the verification checks fail, an error message is issued with the details, in the form "Cannot verify certificate from host:port: reason at depth N". The connection also fails with an SSL error for the peer (perhaps containing "alert bad certificate" or "alert unknown ca"). The depth N indicates how far from the peer leaf certificate the error occurred: depth 0 is the leaf certificate itself, depth 1 its issuer, etc.

The specific reason for the verification error can vary, e.g. certificate has expired, unable to get issuer certificate, etc. Any of these errors can be individually suppressed or enabled, by adding the string token for the error to the sslverifyserver or SSL Verify Client setting value, space-separated, prepended with a "+" (plus) or "-" (minus) sign. For example, to verify certificates but ignore expired and revoked certificate errors, the setting value would be "on -X509_V_ERR_CERT_HAS_EXPIRED -X509_V_ERR_CERT_REVOKED". Note that ignoring any of the verification checks in this way may reduce security, and is generally only used in testing or debug environments.

The following list contains all the possible sslverifyserver or SSL Verify Client tokens that can be suppressed/enabled, and their corresponding error messages. Tokens starting with "X509_V_ERR_..." correspond to the same-named OpenSSL certificate verification error:

  • X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT

    unable to get issuer certificate

    A trusted certificate's issuer certificate could not be found amongst the trusted certificates. This error usually means some trusted certificates' chain(s) are incompletely set in sslcacertificatefile or SSL CA Certificate File, and this was discovered when trying to use these incompletely-chained certificate(s) to complete the peer chain. (See also X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.)

  • X509_V_ERR_UNABLE_TO_GET_CRL

    unable to get certificate CRL

  • X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE

    unable to decrypt certificate's signature

  • X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE

    unable to decrypt CRL's signature

  • X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY

    unable to decode issuer public key

  • X509_V_ERR_CERT_SIGNATURE_FAILURE

    certificate signature failure

  • X509_V_ERR_CRL_SIGNATURE_FAILURE

    CRL signature failure

  • X509_V_ERR_CERT_NOT_YET_VALID

    certificate is not yet valid

  • X509_V_ERR_CERT_HAS_EXPIRED

    certificate has expired

  • X509_V_ERR_CRL_NOT_YET_VALID

    CRL is not yet valid

  • X509_V_ERR_CRL_HAS_EXPIRED

    CRL has expired

  • X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD

    format error in certificate's notBefore field

  • X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD

    format error in certificate's notAfter field

  • X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD

    format error in CRL's lastUpdate field

  • X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD

    format error in CRL's nextUpdate field

  • X509_V_ERR_OUT_OF_MEM

    out of memory

  • X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT

    self signed certificate

    Indicates that the peer certificate is self-signed, and is not trusted locally, i.e. is not in the local sslcacertificatefile or SSL CA Certificate File trust list.

  • X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

    self signed certificate in certificate chain

    Indicates that the peer chain's root certificate is not trusted locally, i.e. is not in the local sslcacertificatefile or SSL CA Certificate File trust list.

  • X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

    unable to get local issuer certificate

    A peer certificate's issuer certificate was not found, after looking in both the chain provided by the peer and in the local trusted storage (i.e. sslcacertificatefile or SSL CA Certificate File). This usually means the peer chain was missing or incomplete.

  • X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

    unable to verify the first certificate

  • X509_V_ERR_CERT_CHAIN_TOO_LONG

    certificate chain too long

    The peer certificate's chain length exceeded the limit set locally by sslverifydepth or SSL Verify Depth. The chain length (depth) is the number of certificates beyond the leaf (client or server) certificate itself; e.g. a chain of length 1 is a leaf certificate plus its issuer certificate.

  • X509_V_ERR_CERT_REVOKED

    certificate revoked

  • X509_V_ERR_INVALID_CA

    invalid CA certificate

  • X509_V_ERR_PATH_LENGTH_EXCEEDED

    path length constraint exceeded

  • X509_V_ERR_INVALID_PURPOSE

    unsupported certificate purpose

  • X509_V_ERR_CERT_UNTRUSTED

    certificate not trusted

  • X509_V_ERR_CERT_REJECTED

    certificate rejected

  • X509_V_ERR_SUBJECT_ISSUER_MISMATCH

    subject issuer mismatch

  • X509_V_ERR_AKID_SKID_MISMATCH

    authority and subject key identifier mismatch

  • X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH

    authority and issuer serial number mismatch

  • X509_V_ERR_KEYUSAGE_NO_CERTSIGN

    key usage does not include certificate signing

  • X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER

    unable to get CRL issuer certificate

  • X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION

    unhandled critical extension

  • X509_V_ERR_KEYUSAGE_NO_CRL_SIGN

    key usage does not include CRL signing

  • X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION

    unhandled critical CRL extension

  • X509_V_ERR_INVALID_NON_CA

    invalid non-CA certificate (has CA markings)

  • X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED

    proxy path length constraint exceeded

  • X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE

    key usage does not include digital signature

  • X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED

    proxy certificates not allowed, please set the appropriate flag

  • X509_V_ERR_INVALID_EXTENSION

    invalid or inconsistent certificate extension

  • X509_V_ERR_INVALID_POLICY_EXTENSION

    invalid or inconsistent certificate policy extension

  • X509_V_ERR_NO_EXPLICIT_POLICY

    no explicit policy

  • No_Peer_Certificate

    Peer did not return a certificate

    The peer did not return a certificate when requested. Usually only occurs as an error on servers, indicating lack of a client certificate. (SSL requires server certificates, whereas client certificates are optional. Thus clients would not see this error, as lack of a server certificate would mean the server would not have started in the first place.)

  • CommonName_Hostname_Mismatch

    Certificate Common Name `...' does not match hostname `...'

    The peer certificate's Common Name (CN) value did not match the hostname in the URL used to access it. This may indicate the host actually contacted is not the one expected by the URL, a possible security issue. This error is not possible for servers (nor possible to disable in SSL Verify Client), as servers do not do Common-Name-to-hostname matching: client certificates' Common Names are not generally hostnames.

  • Other_Error

    Other/unknown X509_V_ERR_... error.


Copyright © Thunderstone Software     Last updated: Dec 10 2018
Copyright © 2019 Thunderstone Software LLC. All rights reserved.