diff options
author | Christophe Fergeau <cfergeau@redhat.com> | 2013-09-20 17:07:35 +0200 |
---|---|---|
committer | Christophe Fergeau <cfergeau@redhat.com> | 2013-10-11 10:21:54 +0200 |
commit | 9b3e972cdc3fbb29664c0a6d1e65a8a278b45df1 (patch) | |
tree | b66bc4ad85242f600c2fde9120e11fd1a5e02e9b | |
parent | b34169feb6a713ee25d1ecded45030dcb6443571 (diff) |
ssl: Log an error when peer certificate verification failed
We currently log an error when openssl_verify() is called with
preverify_ok set to 0 for all certificates in the certificate chain
except for the peer certificate (when 'depth' is 0).
This commit logs an error in the latter case as well.
-rw-r--r-- | common/ssl_verify.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/common/ssl_verify.c b/common/ssl_verify.c index d4b89f0..7af78bc 100644 --- a/common/ssl_verify.c +++ b/common/ssl_verify.c @@ -456,8 +456,16 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx) failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY; } - if (!v->all_preverify_ok || !preverify_ok) + if (!preverify_ok) { + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + spice_warning("Error in server certificate verification: %s (num=%d:depth%d:%s)", + X509_verify_cert_error_string(err), err, depth, buf); return 0; + } + if (!v->all_preverify_ok) { + return 0; + } if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) { if (verify_hostname(cert, v->hostname)) |