From 9b3e972cdc3fbb29664c0a6d1e65a8a278b45df1 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Fri, 20 Sep 2013 17:07:35 +0200
Subject: ssl: Log an error when peer certificate verification failed

We currently log an error when openssl_verify() is called with
preverify_ok set to 0 for all certificates in the certificate chain
except for the peer certificate (when 'depth' is 0).
This commit logs an error in the latter case as well.
---
 common/ssl_verify.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index d4b89f0..7af78bc 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -456,8 +456,16 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
             failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
     }
 
-    if (!v->all_preverify_ok || !preverify_ok)
+    if (!preverify_ok) {
+        err = X509_STORE_CTX_get_error(ctx);
+        depth = X509_STORE_CTX_get_error_depth(ctx);
+        spice_warning("Error in server certificate verification: %s (num=%d:depth%d:%s)",
+                      X509_verify_cert_error_string(err), err, depth, buf);
         return 0;
+    }
+    if (!v->all_preverify_ok) {
+        return 0;
+    }
 
     if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) {
        if (verify_hostname(cert, v->hostname))
-- 
cgit v1.2.3