From 5f87906e0ecf44ec473f8d0455158a93c7dffc62 Mon Sep 17 00:00:00 2001
From: Mike Crowe <mac@mcrowe.com>
Date: Wed, 23 Sep 2015 13:31:29 +0200
Subject: gnutls: Report actual GnuTLS error message for certificate errors

If GnuTLS fails to read the certificate then include whatever reason it
provides in the failure message reported to the client.

Signed-off-by: Mike Crowe <mac@mcrowe.com>
---
 lib/vtls/gtls.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

(limited to 'lib/vtls/gtls.c')

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 1a41c05d7..1c1cc2f7b 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -663,17 +663,18 @@ gtls_connect_step1(struct connectdata *conn,
         GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
         GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
         GNUTLS_PKCS_USE_PBES2_AES_256;
-      if(gnutls_certificate_set_x509_key_file2(
+      rc = gnutls_certificate_set_x509_key_file2(
            conn->ssl[sockindex].cred,
            data->set.str[STRING_CERT],
            data->set.str[STRING_KEY] ?
            data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
            do_file_type(data->set.str[STRING_CERT_TYPE]),
            data->set.str[STRING_KEY_PASSWD],
-           supported_key_encryption_algorithms) !=
-         GNUTLS_E_SUCCESS) {
+           supported_key_encryption_algorithms);
+      if(rc != GNUTLS_E_SUCCESS) {
         failf(data,
-              "error reading X.509 potentially-encrypted key file");
+              "error reading X.509 potentially-encrypted key file: %s",
+              gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
 #else
         failf(data, "gnutls lacks support for encrypted key files");
@@ -682,14 +683,15 @@ gtls_connect_step1(struct connectdata *conn,
       }
     }
     else {
-      if(gnutls_certificate_set_x509_key_file(
+      rc = gnutls_certificate_set_x509_key_file(
            conn->ssl[sockindex].cred,
            data->set.str[STRING_CERT],
            data->set.str[STRING_KEY] ?
            data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
-           do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
-         GNUTLS_E_SUCCESS) {
-        failf(data, "error reading X.509 key or certificate file");
+           do_file_type(data->set.str[STRING_CERT_TYPE]) );
+      if(rc != GNUTLS_E_SUCCESS) {
+        failf(data, "error reading X.509 key or certificate file: %s",
+              gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
       }
     }
-- 
cgit v1.2.3