aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES5
-rw-r--r--lib/nss.c12
2 files changed, 12 insertions, 5 deletions
diff --git a/CHANGES b/CHANGES
index ef5896f20..8a77b0487 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Kamil Dudka (28 Aug 2009)
+- Improved error message for not matching certificate subject name in
+ libcurl-NSS. Originally reported at:
+ https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
+
Patrick Monnerat (24 Aug 2009)
- Introduced a SYST-based test to properly set-up name format when dealing
with the OS/400 FTP server.
diff --git a/lib/nss.c b/lib/nss.c
index 6ee655678..02fa06d9c 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
struct connectdata *conn = (struct connectdata *)arg;
PRErrorCode err = PR_GetError();
CERTCertificate *cert = NULL;
- char *subject, *issuer;
+ char *subject, *subject_cn, *issuer;
if(conn->data->set.ssl.certverifyresult!=0)
return success;
@@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
conn->data->set.ssl.certverifyresult=err;
cert = SSL_PeerCertificate(sock);
subject = CERT_NameToAscii(&cert->subject);
+ subject_cn = CERT_GetCommonName(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
CERT_DestroyCertificate(cert);
@@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
if(conn->data->set.ssl.verifyhost) {
- failf(conn->data, "common name '%s' does not match '%s'",
- subject, conn->host.dispname);
+ failf(conn->data, "SSL: certificate subject name '%s' does not match "
+ "target host name '%s'", subject_cn, conn->host.dispname);
success = SECFailure;
} else {
- infof(conn->data, "warning: common name '%s' does not match '%s'\n",
- subject, conn->host.dispname);
+ infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
+ "match target host name '%s'\n", subject_cn, conn->host.dispname);
}
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
@@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
if(success == SECSuccess)
infof(conn->data, "SSL certificate verify ok.\n");
PR_Free(subject);
+ PR_Free(subject_cn);
PR_Free(issuer);
return success;