From: hniksic <devnull@localhost>
Date: Mon, 16 May 2005 20:32:55 +0000 (-0700)
Subject: [svn] Print all issues with a certificate.
X-Git-Tag: v1.13~1024
X-Git-Url: http://sjero.net/git/?p=wget;a=commitdiff_plain;h=a039ae12fee17e9bb2c5d2bfc0526729850c6f35

[svn] Print all issues with a certificate.
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 02a4b0a8..6ffdb2c0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2005-05-16  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* openssl.c (ssl_check_certificate): Print all issues with a
+	certificate.
+
 2005-05-16  Hrvoje Niksic  <hniksic@xemacs.org>
 
 	* ftp-basic.c: Don't xfree() the line returned by ftp_response if
diff --git a/src/openssl.c b/src/openssl.c
index e72ea28a..93f00fc2 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -412,7 +412,7 @@ ssl_check_certificate (int fd, const char *host)
   X509 *cert;
   char common_name[256];
   long vresult;
-  int success;
+  int success = 1;
 
   /* If the user has specified --no-check-cert, we still want to warn
      him about problems with the server's certificate.  */
@@ -427,7 +427,7 @@ ssl_check_certificate (int fd, const char *host)
       logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"),
 		 severity, escnonprint (host));
       success = 0;
-      goto out;
+      goto out;			/* must bail out since CERT is NULL */
     }
 
 #ifdef ENABLE_DEBUG
@@ -445,12 +445,22 @@ ssl_check_certificate (int fd, const char *host)
   vresult = SSL_get_verify_result (ssl);
   if (vresult != X509_V_OK)
     {
+      /* #### We might want to print saner (and translatable) error
+	 messages for several frequently encountered errors.  The
+	 candidates would include
+	 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+	 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
+	 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+	 X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
+	 and possibly others.  The current approach would still be
+	 used for the less frequent failure cases.  */
       logprintf (LOG_NOTQUIET,
 		 _("%s: Certificate verification error for %s: %s\n"),
 		 severity, escnonprint (host),
 		 X509_verify_cert_error_string (vresult));
       success = 0;
-      goto out;
+      /* Fall through, so that the user is warned about *all* issues
+	 with the cert (important with --no-check-certificate.)  */
     }
 
   /* Check that HOST matches the common name in the certificate.
@@ -476,13 +486,11 @@ ssl_check_certificate (int fd, const char *host)
 %s: certificate common name `%s' doesn't match requested host name `%s'.\n"),
 		 severity, escnonprint (common_name), escnonprint (host));
       success = 0;
-      goto out;
     }
 
-  /* The certificate was found, verified, and matched HOST. */
-  success = 1;
-  DEBUGP (("X509 certificate successfully verified and matches host %s\n",
-	   escnonprint (host)));
+  if (success)
+    DEBUGP (("X509 certificate successfully verified and matches host %s\n",
+	     escnonprint (host)));
 
  out:
   if (cert)