diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-01-14 21:25:30 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-01-14 21:25:30 +0100 |
commit | 35083ca60ed035a4a097c003a339d92b69f3d87c (patch) | |
tree | 7c4f10ff458056e35526a3f065b12224067b06b0 /lib | |
parent | fdcc4d6daa0a28c530577a0e83066b110e390428 (diff) |
openssl: improved error detection/reporting
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/vtls/openssl.c | 43 |
1 files changed, 18 insertions, 25 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 204d6574b..e5589e325 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2104,27 +2104,22 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) least 256 bytes long. */ CURLcode result; long lerr; + int lib; + int reason; - connssl->connecting_state = ssl_connect_2; /* the connection failed, - we're not waiting for - anything else. */ - - errdetail = ERR_get_error(); /* Gets the earliest error code from the - thread's error queue and removes the - entry. */ - - switch(errdetail) { - case 0x1407E086: - /* 1407E086: - SSL routines: - SSL2_SET_CERTIFICATE: - certificate verify failed */ - /* fall-through */ - case 0x14090086: - /* 14090086: - SSL routines: - SSL3_GET_SERVER_CERTIFICATE: - certificate verify failed */ + /* the connection failed, we're not waiting for anything else. */ + connssl->connecting_state = ssl_connect_2; + + /* Get the earliest error code from the thread's error queue and removes + the entry. */ + errdetail = ERR_get_error(); + + /* Extract which lib and reason */ + lib = ERR_GET_LIB(errdetail); + reason = ERR_GET_REASON(errdetail); + + if((lib == ERR_LIB_SSL) && + (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) { result = CURLE_SSL_CACERT; lerr = SSL_get_verify_result(connssl->handle); @@ -2136,13 +2131,11 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) else /* strcpy() is fine here as long as the string fits within error_buffer */ - strcpy(error_buffer, - "SSL certificate problem, check your CA cert"); - break; - default: + strcpy(error_buffer, "SSL certificate verification failed"); + } + else { result = CURLE_SSL_CONNECT_ERROR; SSL_strerror(errdetail, error_buffer, sizeof(error_buffer)); - break; } /* detail is already set to the SSL error above */ |