https://bugs.openldap.org/show_bug.cgi?id=9195
Bug ID: 9195
Summary: Poor error messaging for TLS connect/accept with
GnuTLS
Product: OpenLDAP
Version: 2.4.49
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: libraries
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
When doing something like:
./clients/tools/ldapsearch -H ldap://171.67.218.153 -ZZ -x
With OpenSSL we get:
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate
With GnuTLS we just get:
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
We can do better. My thoughts right now are:
1. stash the verify status in the session;
2. return a specific value to indicate verify failed;
3. have tlsg_session_errmsg recognize that value and print the detailed
verification status.
GnuTLS 3.5 added GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR, but I don't think
it's worth bumping our required version for that alone. For the time being
(i.e. 2.5) I'd like to keep 3.3 and maybe even 3.2 supported...
--
You are receiving this mail because:
You are on the CC list for the bug.
