aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-01-14 21:25:30 +0100
committerDaniel Stenberg <daniel@haxx.se>2016-01-14 21:25:30 +0100
commit35083ca60ed035a4a097c003a339d92b69f3d87c (patch)
tree7c4f10ff458056e35526a3f065b12224067b06b0 /lib
parentfdcc4d6daa0a28c530577a0e83066b110e390428 (diff)
openssl: improved error detection/reporting
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/openssl.c43
1 files changed, 18 insertions, 25 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 204d6574b..e5589e325 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2104,27 +2104,22 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
least 256 bytes long. */
CURLcode result;
long lerr;
+ int lib;
+ int reason;
- connssl->connecting_state = ssl_connect_2; /* the connection failed,
- we're not waiting for
- anything else. */
-
- errdetail = ERR_get_error(); /* Gets the earliest error code from the
- thread's error queue and removes the
- entry. */
-
- switch(errdetail) {
- case 0x1407E086:
- /* 1407E086:
- SSL routines:
- SSL2_SET_CERTIFICATE:
- certificate verify failed */
- /* fall-through */
- case 0x14090086:
- /* 14090086:
- SSL routines:
- SSL3_GET_SERVER_CERTIFICATE:
- certificate verify failed */
+ /* the connection failed, we're not waiting for anything else. */
+ connssl->connecting_state = ssl_connect_2;
+
+ /* Get the earliest error code from the thread's error queue and removes
+ the entry. */
+ errdetail = ERR_get_error();
+
+ /* Extract which lib and reason */
+ lib = ERR_GET_LIB(errdetail);
+ reason = ERR_GET_REASON(errdetail);
+
+ if((lib == ERR_LIB_SSL) &&
+ (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
result = CURLE_SSL_CACERT;
lerr = SSL_get_verify_result(connssl->handle);
@@ -2136,13 +2131,11 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
else
/* strcpy() is fine here as long as the string fits within
error_buffer */
- strcpy(error_buffer,
- "SSL certificate problem, check your CA cert");
- break;
- default:
+ strcpy(error_buffer, "SSL certificate verification failed");
+ }
+ else {
result = CURLE_SSL_CONNECT_ERROR;
SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
- break;
}
/* detail is already set to the SSL error above */