ssl: Log an error when peer certificate verification failed

We currently log an error when openssl_verify() is called with
preverify_ok set to 0 for all certificates in the certificate chain
except for the peer certificate (when 'depth' is 0).
This commit logs an error in the latter case as well.

1 files changed, 9 insertions, 1 deletions

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index d4b89f0..7af78bc 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -456,8 +456,16 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
             failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
     }
 
-    if (!v->all_preverify_ok || !preverify_ok)
+    if (!preverify_ok) {
+        err = X509_STORE_CTX_get_error(ctx);
+        depth = X509_STORE_CTX_get_error_depth(ctx);
+        spice_warning("Error in server certificate verification: %s (num=%d:depth%d:%s)",
+                      X509_verify_cert_error_string(err), err, depth, buf);
         return 0;
+    }
+    if (!v->all_preverify_ok) {
+        return 0;
+    }
 
     if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) {
        if (verify_hostname(cert, v->hostname))