On Sat, 21 Apr 2012, Gokhan Sengun wrote:
Small patch is ready and attached.To easily see the enhancement on Linux: change your system time to 2000's like below (be root)
Thanks! Two minor nits on the patch: 1 - do make sure you have the correct email addressed configured in your local git (so that my 'git am' works better) and 2 - we use a short and descriptive first line/topic in the commit message in traditional git style. I fixed both in my updated version.
I also would like to see the "more descriptive" error message become what ends up in the error buffer rather than "just" being in verbose output. I thus tried to rearrange the code slightly to make that happen. Can you please check and see if you like/approve of my version of your change? (see attachment)
-- / daniel.haxx.se
From 25a573d6bf168b5b94de1b6f60a591b525cd154f Mon Sep 17 00:00:00 2001 From: Gokhan Sengun <[email protected]> Date: Tue, 29 Feb 2000 16:49:47 +0200 Subject: [PATCH] OpenSSL cert: provide more details when cert check fails curl needs to be more chatty regarding certificate verification failure during SSL handshake --- lib/ssluse.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/ssluse.c b/lib/ssluse.c index 8652cbd..a55ad3c 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1803,6 +1803,7 @@ ossl_connect_step2(struct connectdata *conn, int sockindex) 256 bytes long. */ CURLcode rc; const char *cert_problem = NULL; + long lerr; connssl->connecting_state = ssl_connect_2; /* the connection failed, we're not waiting for @@ -1824,12 +1825,22 @@ ossl_connect_step2(struct connectdata *conn, int sockindex) SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed */ - cert_problem = "SSL certificate problem, verify that the CA cert is" - " OK. Details:\n"; rc = CURLE_SSL_CACERT; + + lerr = SSL_get_verify_result(connssl->handle); + if(lerr != X509_V_OK) { + snprintf(error_buffer, sizeof(error_buffer), + "SSL certificate problem: %s", + X509_verify_cert_error_string(lerr)); + } + else + cert_problem = "SSL certificate problem, verify that the CA cert is" + " OK."; + break; default: rc = CURLE_SSL_CONNECT_ERROR; + SSL_strerror(errdetail, error_buffer, sizeof(error_buffer)); break; } @@ -1846,7 +1857,6 @@ ossl_connect_step2(struct connectdata *conn, int sockindex) } /* Could be a CERT problem */ - SSL_strerror(errdetail, error_buffer, sizeof(error_buffer)); failf(data, "%s%s", cert_problem ? cert_problem : "", error_buffer); return rc; } -- 1.7.10
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
