aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--RELEASE-NOTES1
-rw-r--r--lib/nss.c42
2 files changed, 31 insertions, 12 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index edd6b4084..869894e3a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -29,6 +29,7 @@ This release includes the following bugfixes:
o curl man page cleanup
o Avoid leak of local device string when reusing connection
o Curl_socket_check: fix return code for timeout [11]
+ o nss: do not print misleading NSS error codes
This release includes the following known bugs:
diff --git a/lib/nss.c b/lib/nss.c
index b11796cef..a8e08f419 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data)
return 0;
}
-/* return true if the given error code is related to a client certificate */
-static bool is_cc_error(PRInt32 err)
+/* return true if NSS can provide error code (and possibly msg) for the error */
+static bool is_nss_error(CURLcode err)
{
switch(err) {
- case SSL_ERROR_BAD_CERT_ALERT:
+ case CURLE_PEER_FAILED_VERIFICATION:
+ case CURLE_SSL_CACERT:
+ case CURLE_SSL_CACERT_BADFILE:
+ case CURLE_SSL_CERTPROBLEM:
+ case CURLE_SSL_CONNECT_ERROR:
+ case CURLE_SSL_CRL_BADFILE:
+ case CURLE_SSL_ISSUER_ERROR:
return true;
- case SSL_ERROR_REVOKED_CERT_ALERT:
- return true;
+ default:
+ return false;
+ }
+}
+/* return true if the given error code is related to a client certificate */
+static bool is_cc_error(PRInt32 err)
+{
+ switch(err) {
+ case SSL_ERROR_BAD_CERT_ALERT:
case SSL_ERROR_EXPIRED_CERT_ALERT:
+ case SSL_ERROR_REVOKED_CERT_ALERT:
return true;
default:
@@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
time_left = Curl_timeleft(data, NULL, TRUE);
if(time_left < 0L) {
failf(data, "timed out before SSL handshake");
+ curlerr = CURLE_OPERATION_TIMEDOUT;
goto error;
}
timeout = PR_MillisecondsToInterval((PRUint32) time_left);
@@ -1432,15 +1447,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
/* reset the flag to avoid an infinite loop */
data->state.ssl_connect_retry = FALSE;
- err = PR_GetError();
- if(is_cc_error(err))
- curlerr = CURLE_SSL_CERTPROBLEM;
+ if(is_nss_error(curlerr)) {
+ /* read NSPR error code */
+ err = PR_GetError();
+ if(is_cc_error(err))
+ curlerr = CURLE_SSL_CERTPROBLEM;
- /* print the error number and error string */
- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+ /* print the error number and error string */
+ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
- /* print a human-readable message describing the error if available */
- nss_print_error_message(data, err);
+ /* print a human-readable message describing the error if available */
+ nss_print_error_message(data, err);
+ }
if(model)
PR_Close(model);