Re: Detailed certificate verification error string

Fri, 20 Apr 2012 14:28:48 -0700 

Hi there,

>
>> > It sounds good to me.. Are you able to generate a patch
>> > for that?
>>
>> Yes sure, but it will take a few days for me to get more
>> accustomed to the subject and generate a few other use
>> cases (certificate verification failures) to make sure that
>> what is proposed is actually something useful :-)

Small patch is ready and attached.

To easily see the enhancement on Linux: change your system time to
2000's like below (be root)

date -s "2000-02-29  16:21:42"

then try

curl -v https://www.facebook.com

you will see nothing regarding verification problem.

Then apply the patch and build curl

Now try again the web site, you will see the error like "certificate
is not valid yet" then you have a chance to diagnose the problem.

Thanks

From 67ff99912d038a62ca16556242d6e7b208fff35c Mon Sep 17 00:00:00 2001
From: Gokhan Sengun <[email protected]>
Date: Tue, 29 Feb 2000 16:49:47 +0200
Subject: [PATCH] curl needs to be more chatty regarding certificate verification failure during SSL handshake

---
 lib/ssluse.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/lib/ssluse.c b/lib/ssluse.c
index 8652cbd..40fb4e8 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1772,6 +1772,7 @@ ossl_connect_step2(struct connectdata *conn, int sockindex)
 {
   struct SessionHandle *data = conn->data;
   int err;
+  long lerr;
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
 
   DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
@@ -1827,6 +1828,13 @@ ossl_connect_step2(struct connectdata *conn, int sockindex)
         cert_problem = "SSL certificate problem, verify that the CA cert is"
           " OK. Details:\n";
         rc = CURLE_SSL_CACERT;
+
+        lerr = SSL_get_verify_result(connssl->handle);
+        if(lerr != X509_V_OK) {
+          infof(data, "\t SSL certificate fail reason: %s (%ld)\n",
+                X509_verify_cert_error_string(lerr), lerr);
+        }
+
         break;
       default:
         rc = CURLE_SSL_CONNECT_ERROR;
-- 
1.7.2.5


-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to