Commit 6c9b08ce authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

In case of certificate verification failures include failure reason

into the error message (openssl only)
parent c79df071
......@@ -37,7 +37,7 @@ typedef tls_session *(TI_session_new)(tls_ctx *ctx, int is_server);
typedef int (TI_session_connect)(LDAP *ld, tls_session *s);
typedef int (TI_session_accept)(tls_session *s);
typedef int (TI_session_upflags)(Sockbuf *sb, tls_session *s, int rc);
typedef char *(TI_session_errmsg)(int rc, char *buf, size_t len );
typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len );
typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
......
......@@ -376,7 +376,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
return 1;
}
msg = tls_imp->ti_session_errmsg( err, buf, sizeof(buf) );
msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) );
if ( msg ) {
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
......@@ -438,7 +438,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
if ( DebugTest( LDAP_DEBUG_ANY ) ) {
char buf[256], *msg;
msg = tls_imp->ti_session_errmsg( err, buf, sizeof(buf) );
msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) );
Debug( LDAP_DEBUG_ANY,"TLS: can't accept: %s.\n",
msg ? msg : "(unknown)", 0, 0 );
}
......
......@@ -525,7 +525,7 @@ tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
}
static char *
tlsg_session_errmsg( int rc, char *buf, size_t len )
tlsg_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
{
return (char *)gnutls_strerror( rc );
}
......
......@@ -2013,7 +2013,7 @@ tlsm_session_upflags( Sockbuf *sb, tls_session *session, int rc )
}
static char *
tlsm_session_errmsg( int rc, char *buf, size_t len )
tlsm_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
{
int i;
......
......@@ -398,11 +398,22 @@ tlso_session_upflags( Sockbuf *sb, tls_session *sess, int rc )
}
static char *
tlso_session_errmsg( int rc, char *buf, size_t len )
tlso_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
{
char err[256] = "";
const char *certerr=NULL;
tlso_session *s = (tlso_session *)sess;
rc = ERR_peek_error();
if ( rc ) {
ERR_error_string_n( rc, buf, len );
ERR_error_string_n( rc, err, sizeof(err) );
if ( ( ERR_GET_LIB(rc) == ERR_LIB_SSL ) &&
( ERR_GET_REASON(rc) == SSL_R_CERTIFICATE_VERIFY_FAILED ) ) {
int certrc = SSL_get_verify_result(s);
certerr = (char *)X509_verify_cert_error_string(certrc);
}
snprintf(buf, len, "%s%s%s%s", err, certerr ? " (" :"",
certerr ? certerr : "", certerr ? ")" : "" );
return buf;
}
return NULL;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment