minfrin commented on code in PR #7:
URL: https://github.com/apache/serf/pull/7#discussion_r2160250166
##########
buckets/ssl_buckets.c:
##########
@@ -890,6 +890,10 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX
*store_ctx)
case X509_V_ERR_UNABLE_TO_GET_CRL:
failures |= SERF_SSL_CERT_UNABLE_TO_GET_CRL;
break;
+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+ failures |= SERF_SSL_SIGNATURE_FAILURE;
+ break;
Review Comment:
On the separate flag, openssl returns 95 possible reasons for a certificate
not to verify, and we ignore most of them, returning "unknown error", which
translates to "an error has occurred".
https://github.com/openssl/openssl/blob/cdd01b5e0734b0324251b32a8edd97f42ba90429/include/openssl/x509_vfy.h.in#L206
Ideally we want to expose underlying errors as strings, accessible to caller
above.
It should not be necessary to know or care what crypto API created the
string, that string must be visible to the caller.
What I had in mind was to attach the last known SSL error to the pool, or to
a context, and have a function like this:
```
const char *serf_error_detail(apr_pool_t pool);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@serf.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
