ssl: Remove selfsigned anchor certificate from the certificate chain

A selfsigned trusted anchor should not be in the certifcate chain passed to
the certificate path validation.

Conflicts:
	lib/ssl/src/ssl_certificate.erl

2 files changed, 3 insertions, 3 deletions

diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 9c0ed181fe..30d224fee2 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -282,7 +282,7 @@ other_issuer(OtpCert, CertDbHandle) ->
 handle_path({BinCert, OTPCert}, Path, PartialChainHandler) ->
     case public_key:pkix_is_self_signed(OTPCert) of
 	true ->
-	    {BinCert, Path};
+	    {BinCert, lists:delete(BinCert, Path)};
 	false ->
 	   handle_incomplete_chain(Path, PartialChainHandler)
     end.
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index b7864ba6e7..dab7a941db 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -443,7 +443,7 @@ verify_fun_always_run_client(Config) when is_list(Config) ->
 			    {unknown, UserState};
 		       (_, valid, [ChainLen]) ->
 			    {valid, [ChainLen + 1]};
-		       (_, valid_peer, [2]) ->
+		       (_, valid_peer, [1]) ->
 			    {fail, "verify_fun_was_always_run"};
 		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
@@ -482,7 +482,7 @@ verify_fun_always_run_server(Config) when is_list(Config) ->
 			    {unknown, UserState};
 		       (_, valid, [ChainLen]) ->
 			    {valid, [ChainLen + 1]};
-		       (_, valid_peer, [2]) ->
+		       (_, valid_peer, [1]) ->
 			    {fail, "verify_fun_was_always_run"};
 		       (_, valid_peer, UserState) ->
 			    {valid, UserState}