diff options
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | lib/nss.c | 12 |
2 files changed, 12 insertions, 5 deletions
@@ -6,6 +6,11 @@ Changelog +Kamil Dudka (28 Aug 2009) +- Improved error message for not matching certificate subject name in + libcurl-NSS. Originally reported at: + https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9 + Patrick Monnerat (24 Aug 2009) - Introduced a SYST-based test to properly set-up name format when dealing with the OS/400 FTP server. @@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) struct connectdata *conn = (struct connectdata *)arg; PRErrorCode err = PR_GetError(); CERTCertificate *cert = NULL; - char *subject, *issuer; + char *subject, *subject_cn, *issuer; if(conn->data->set.ssl.certverifyresult!=0) return success; @@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) conn->data->set.ssl.certverifyresult=err; cert = SSL_PeerCertificate(sock); subject = CERT_NameToAscii(&cert->subject); + subject_cn = CERT_GetCommonName(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); CERT_DestroyCertificate(cert); @@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) break; case SSL_ERROR_BAD_CERT_DOMAIN: if(conn->data->set.ssl.verifyhost) { - failf(conn->data, "common name '%s' does not match '%s'", - subject, conn->host.dispname); + failf(conn->data, "SSL: certificate subject name '%s' does not match " + "target host name '%s'", subject_cn, conn->host.dispname); success = SECFailure; } else { - infof(conn->data, "warning: common name '%s' does not match '%s'\n", - subject, conn->host.dispname); + infof(conn->data, "warning: SSL: certificate subject name '%s' does not " + "match target host name '%s'\n", subject_cn, conn->host.dispname); } break; case SEC_ERROR_EXPIRED_CERTIFICATE: @@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) if(success == SECSuccess) infof(conn->data, "SSL certificate verify ok.\n"); PR_Free(subject); + PR_Free(subject_cn); PR_Free(issuer); return success; |