X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fx509%2Fx509_vfy.c;h=5d88efd4a0dd48b89e0730ce63e173a957ef2038;hp=73eecd6ee4087c5f56ca97ff4b55dc1073a957f0;hb=78f3a2aad79b25fc25498f5afa6ca0bbe01bf863;hpb=b847024026c4e16371bf05adc4a9d88500472336

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 73eecd6ee4..5d88efd4a0 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -488,6 +488,13 @@ static int internal_verify(X509_STORE_CTX *ctx)
 				if (!ok) goto end;
 				}
 			if (X509_verify(xs,pkey) <= 0)
+				/* XXX  For the final trusted self-signed cert,
+				 * this is a waste of time.  That check should
+				 * optional so that e.g. 'openssl x509' can be
+				 * used to detect invalid self-signatures, but
+				 * we don't verify again and again in SSL
+				 * handshakes and the like once the cert has
+				 * been declared trusted. */
 				{
 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
 				ctx->current_cert=xs;