aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKamil Dudka <kdudka@redhat.com>2009-08-13 16:04:51 +0000
committerKamil Dudka <kdudka@redhat.com>2009-08-13 16:04:51 +0000
commit6293fe98a030dc776f38dec97e8241cb09cdd170 (patch)
treed44311eba134062663458118e1011b1ada4a6e94
parent5c716247aa1595cb7e8388edfc5a4be026a403e3 (diff)
- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
verbose error messages. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056
-rw-r--r--CHANGES5
-rw-r--r--lib/nss.c23
2 files changed, 24 insertions, 4 deletions
diff --git a/CHANGES b/CHANGES
index c9232c40b..5ecc26330 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Kamil Dudka (13 Aug 2009)
+- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
+ verbose error messages. Originally reported at:
+ https://bugzilla.redhat.com/show_bug.cgi?id=516056
+
Daniel Stenberg (12 Aug 2009)
- Karl Moerder fixed the Makefile.vc* makefiles to include the new file
nonblock.c so that they work fine again
diff --git a/lib/nss.c b/lib/nss.c
index c93535ee3..6ee655678 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
issuer);
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
- if(conn->data->set.ssl.verifypeer)
+ if(conn->data->set.ssl.verifyhost) {
+ failf(conn->data, "common name '%s' does not match '%s'",
+ subject, conn->host.dispname);
success = SECFailure;
- infof(conn->data, "common name: %s (does not match '%s')\n",
- subject, conn->host.dispname);
+ } else {
+ infof(conn->data, "warning: common name '%s' does not match '%s'\n",
+ subject, conn->host.dispname);
+ }
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
infof(conn->data, "Remote Certificate has expired.\n");
break;
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ if(conn->data->set.ssl.verifypeer)
+ success = SECFailure;
+ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
+ issuer);
+ break;
default:
if(conn->data->set.ssl.verifypeer)
success = SECFailure;
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
}
}
+ if(data->set.ssl.verifyhost == 1)
+ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
+
data->set.ssl.certverifyresult=0; /* not checked yet */
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
!= SECSuccess) {
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(SSL_ForceHandshakeWithTimeout(connssl->handle,
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
!= SECSuccess) {
- if(conn->data->set.ssl.certverifyresult!=0)
+ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+ curlerr = CURLE_PEER_FAILED_VERIFICATION;
+ else if(conn->data->set.ssl.certverifyresult!=0)
curlerr = CURLE_SSL_CACERT;
goto error;
}