[svn] Added sanity checks for -k, -p, -r and -N when -O is given. Added fixes for...

[wget] / src / openssl.c

diff --git a/src/openssl.c b/src/openssl.c
index 14454027c60f8f151b61d7bb6f3613f71f6cb7b3..2073d3ae36caf6ba1a933366adc221e7843bb68f 100644 (file)
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -1,5 +1,5 @@
 /* SSL support via OpenSSL library.
-   Copyright (C) 2000-2005 Free Software Foundation, Inc.
+   Copyright (C) 2000-2006 Free Software Foundation, Inc.
    Originally contributed by Christian Fraenkel.
 
 This file is part of GNU Wget.
@@ -225,6 +225,10 @@ ssl_init ()
      handles them correctly), allow them in OpenSSL.  */
   SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
 
+  /* The OpenSSL library can handle renegotiations automatically, so
+     tell it to do so.  */
+  SSL_CTX_set_mode (ssl_ctx, SSL_MODE_AUTO_RETRY);
+
   return true;
 
  error:
@@ -509,19 +513,34 @@ ssl_check_certificate (int fd, const char *host)
   vresult = SSL_get_verify_result (conn);
   if (vresult != X509_V_OK)
     {
-      /* #### We might want to print saner (and translatable) error
-        messages for several frequently encountered errors.  The
-        candidates would include
-        X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
-        X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
-        X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
-        X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
-        and possibly others.  The current approach would still be
-        used for the less frequent failure cases.  */
+      char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
       logprintf (LOG_NOTQUIET,
-                _("%s: Certificate verification error for %s: %s\n"),
-                severity, escnonprint (host),
-                X509_verify_cert_error_string (vresult));
+                _("%s: cannot verify %s's certificate, issued by `%s':\n"),
+                severity, escnonprint (host), escnonprint (issuer));
+      /* Try to print more user-friendly (and translated) messages for
+        the frequent verification errors.  */
+      switch (vresult)
+       {
+       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+         logprintf (LOG_NOTQUIET,
+                    _("  Unable to locally verify the issuer's authority.\n"));
+         break;
+       case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+       case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+         logprintf (LOG_NOTQUIET, _("  Self-signed certificate encountered.\n"));
+         break;
+       case X509_V_ERR_CERT_NOT_YET_VALID:
+         logprintf (LOG_NOTQUIET, _("  Issued certificate not yet valid.\n"));
+         break;
+       case X509_V_ERR_CERT_HAS_EXPIRED:
+         logprintf (LOG_NOTQUIET, _("  Issued certificate has expired.\n"));
+         break;
+       default:
+         /* For the less frequent error strings, simply provide the
+            OpenSSL error message.  */
+         logprintf (LOG_NOTQUIET, "  %s\n",
+                    X509_verify_cert_error_string (vresult));
+       }
       success = false;
       /* Fall through, so that the user is warned about *all* issues
         with the cert (important with --no-check-certificate.)  */