From 1a255e0e280f6ca48a4f2290642ede2966c007da Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 28 Aug 2009 12:06:51 +0000 Subject: - Improved error message for not matching certificate subject name in libcurl-NSS. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9 --- CHANGES | 5 +++++ lib/nss.c | 12 +++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index ef5896f20..8a77b0487 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,11 @@ Changelog +Kamil Dudka (28 Aug 2009) +- Improved error message for not matching certificate subject name in + libcurl-NSS. Originally reported at: + https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9 + Patrick Monnerat (24 Aug 2009) - Introduced a SYST-based test to properly set-up name format when dealing with the OS/400 FTP server. diff --git a/lib/nss.c b/lib/nss.c index 6ee655678..02fa06d9c 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) struct connectdata *conn = (struct connectdata *)arg; PRErrorCode err = PR_GetError(); CERTCertificate *cert = NULL; - char *subject, *issuer; + char *subject, *subject_cn, *issuer; if(conn->data->set.ssl.certverifyresult!=0) return success; @@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) conn->data->set.ssl.certverifyresult=err; cert = SSL_PeerCertificate(sock); subject = CERT_NameToAscii(&cert->subject); + subject_cn = CERT_GetCommonName(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); CERT_DestroyCertificate(cert); @@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) break; case SSL_ERROR_BAD_CERT_DOMAIN: if(conn->data->set.ssl.verifyhost) { - failf(conn->data, "common name '%s' does not match '%s'", - subject, conn->host.dispname); + failf(conn->data, "SSL: certificate subject name '%s' does not match " + "target host name '%s'", subject_cn, conn->host.dispname); success = SECFailure; } else { - infof(conn->data, "warning: common name '%s' does not match '%s'\n", - subject, conn->host.dispname); + infof(conn->data, "warning: SSL: certificate subject name '%s' does not " + "match target host name '%s'\n", subject_cn, conn->host.dispname); } break; case SEC_ERROR_EXPIRED_CERTIFICATE: @@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) if(success == SECSuccess) infof(conn->data, "SSL certificate verify ok.\n"); PR_Free(subject); + PR_Free(subject_cn); PR_Free(issuer); return success; -- cgit v1.2.3