From 6293fe98a030dc776f38dec97e8241cb09cdd170 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 13 Aug 2009 16:04:51 +0000
Subject: - Changed NSS code to not ignore the value of ssl.verifyhost and
 produce more   verbose error messages. Originally reported at:  
 https://bugzilla.redhat.com/show_bug.cgi?id=516056

---
 CHANGES   |  5 +++++
 lib/nss.c | 23 +++++++++++++++++++----
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index c9232c40b..5ecc26330 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
 
                                   Changelog
 
+Kamil Dudka (13 Aug 2009)
+- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
+  verbose error messages. Originally reported at:
+  https://bugzilla.redhat.com/show_bug.cgi?id=516056
+
 Daniel Stenberg (12 Aug 2009)
 - Karl Moerder fixed the Makefile.vc* makefiles to include the new file
   nonblock.c so that they work fine again
diff --git a/lib/nss.c b/lib/nss.c
index c93535ee3..6ee655678 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
           issuer);
     break;
   case SSL_ERROR_BAD_CERT_DOMAIN:
-    if(conn->data->set.ssl.verifypeer)
+    if(conn->data->set.ssl.verifyhost) {
+      failf(conn->data, "common name '%s' does not match '%s'",
+            subject, conn->host.dispname);
       success = SECFailure;
-    infof(conn->data, "common name: %s (does not match '%s')\n",
-          subject, conn->host.dispname);
+    } else {
+      infof(conn->data, "warning: common name '%s' does not match '%s'\n",
+            subject, conn->host.dispname);
+    }
     break;
   case SEC_ERROR_EXPIRED_CERTIFICATE:
     if(conn->data->set.ssl.verifypeer)
       success = SECFailure;
     infof(conn->data, "Remote Certificate has expired.\n");
     break;
+  case SEC_ERROR_UNKNOWN_ISSUER:
+    if(conn->data->set.ssl.verifypeer)
+      success = SECFailure;
+    infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
+          issuer);
+    break;
   default:
     if(conn->data->set.ssl.verifypeer)
       success = SECFailure;
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
     }
   }
 
+  if(data->set.ssl.verifyhost == 1)
+    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
+
   data->set.ssl.certverifyresult=0; /* not checked yet */
   if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
      != SECSuccess) {
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   if(SSL_ForceHandshakeWithTimeout(connssl->handle,
                                     PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
       != SECSuccess) {
-    if(conn->data->set.ssl.certverifyresult!=0)
+    if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+      curlerr = CURLE_PEER_FAILED_VERIFICATION;
+    else if(conn->data->set.ssl.certverifyresult!=0)
       curlerr = CURLE_SSL_CACERT;
     goto error;
   }
-- 
cgit v1.2.3