The attached patch against 0.9.6c maps the new X509 verification error
codes into SSL alerts, using the following mappings:
X509_V_ERR_CERT_UNTRUSTED => SSL_AD_BAD_CERTIFICATE
X509_V_ERR_CERT_REJECTED => SSL_AD_BAD_CERTIFICATE
X509_V_ERR_PATH_LENGTH_EXCEEDED => SSL_AD_UNKNOWN_CA
X509_V_ERR_INVALID_CA => SSL_AD_UNKNOWN_CA
X509_V_ERR_INVALID_PURPOSE => SSL_AD_UNSUPPORTED_CERTIFICATE
Tom
--
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
--- openssl-0.9.6c-orig/ssl/s3_both.c Mon Oct 15 10:42:43 2001
+++ openssl-0.9.6c/ssl/s3_both.c Mon Mar 18 17:13:24 2002
@@ -528,6 +528,8 @@
case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CRL_NOT_YET_VALID:
+ case X509_V_ERR_CERT_UNTRUSTED:
+ case X509_V_ERR_CERT_REJECTED:
al=SSL_AD_BAD_CERTIFICATE;
break;
case X509_V_ERR_CERT_SIGNATURE_FAILURE:
@@ -549,10 +551,15 @@
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+ case X509_V_ERR_INVALID_CA:
al=SSL_AD_UNKNOWN_CA;
break;
case X509_V_ERR_APPLICATION_VERIFICATION:
al=SSL_AD_HANDSHAKE_FAILURE;
+ break;
+ case X509_V_ERR_INVALID_PURPOSE:
+ al=SSL_AD_UNSUPPORTED_CERTIFICATE;
break;
default:
al=SSL_AD_CERTIFICATE_UNKNOWN;
