From d3617fbcf0e49d614f1a17719a0d4f6f663644fd Mon Sep 17 00:00:00 2001 From: hniksic Date: Thu, 7 Jul 2005 08:31:37 -0700 Subject: [PATCH] [svn] Print separate error messages for frequent X509 certificate problems. --- src/ChangeLog | 5 +++++ src/openssl.c | 39 +++++++++++++++++++++++++++------------ 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index e47f591a..fad4a13e 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2005-07-07 Hrvoje Niksic + + * openssl.c (ssl_check_certificate): Print custom error messages + for frequent X509 certificate problems. + 2005-07-07 Hrvoje Niksic * mswindows.h: Define an alias for stat and fstat, as requested by diff --git a/src/openssl.c b/src/openssl.c index 14454027..253b903b 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -509,19 +509,34 @@ ssl_check_certificate (int fd, const char *host) vresult = SSL_get_verify_result (conn); if (vresult != X509_V_OK) { - /* #### We might want to print saner (and translatable) error - messages for several frequently encountered errors. The - candidates would include - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, - X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED, - and possibly others. The current approach would still be - used for the less frequent failure cases. */ + char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0); logprintf (LOG_NOTQUIET, - _("%s: Certificate verification error for %s: %s\n"), - severity, escnonprint (host), - X509_verify_cert_error_string (vresult)); + _("%s: cannot verify %s's certificate, issued by `%s':\n"), + severity, escnonprint (host), escnonprint (issuer)); + /* Try to print more user-friendly (and translated) messages for + the frequent verification errors. */ + switch (vresult) + { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: + logprintf (LOG_NOTQUIET, + _(" Unable to locally verify the issuer's authority.\n")); + break; + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n")); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n")); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n")); + break; + default: + /* For the less frequent error strings, simply provide the + OpenSSL error message. */ + logprintf (LOG_NOTQUIET, " %s\n", + X509_verify_cert_error_string (vresult)); + } success = false; /* Fall through, so that the user is warned about *all* issues with the cert (important with --no-check-certificate.) */ -- 2.39.2