OpenSSL cert: provide more details when cert check fails

curl needs to be more chatty regarding certificate verification failure
during SSL handshake

1 files changed, 13 insertions, 3 deletions

diff --git a/lib/ssluse.c b/lib/ssluse.c
index 8652cbd7c..a55ad3ce1 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1803,6 +1803,7 @@ ossl_connect_step2(struct connectdata *conn, int sockindex)
                                  256 bytes long. */
       CURLcode rc;
       const char *cert_problem = NULL;
+      long lerr;
 
       connssl->connecting_state = ssl_connect_2; /* the connection failed,
                                                     we're not waiting for
@@ -1824,12 +1825,22 @@ ossl_connect_step2(struct connectdata *conn, int sockindex)
            SSL routines:
            SSL3_GET_SERVER_CERTIFICATE:
            certificate verify failed */
-        cert_problem = "SSL certificate problem, verify that the CA cert is"
-          " OK. Details:\n";
         rc = CURLE_SSL_CACERT;
+
+        lerr = SSL_get_verify_result(connssl->handle);
+        if(lerr != X509_V_OK) {
+          snprintf(error_buffer, sizeof(error_buffer),
+                   "SSL certificate problem: %s",
+                   X509_verify_cert_error_string(lerr));
+        }
+        else
+          cert_problem = "SSL certificate problem, verify that the CA cert is"
+            " OK.";
+
         break;
       default:
         rc = CURLE_SSL_CONNECT_ERROR;
+        SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
         break;
       }
 
@@ -1846,7 +1857,6 @@ ossl_connect_step2(struct connectdata *conn, int sockindex)
       }
       /* Could be a CERT problem */
 
-      SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
       failf(data, "%s%s", cert_problem ? cert_problem : "", error_buffer);
       return rc;
     }