generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

openssl: improved error detection/reporting

Browse Source 
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
This commit is contained in:
Daniel Stenberg
2016-01-14 21:25:30 +01:00
parent fdcc4d6daa
commit 35083ca60e
1 changed files with 16 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
lib/vtls/openssl.c
View File

@@ -2104,27 +2104,22 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
least 256 bytes long. */ least 256 bytes long. */
CURLcode result; CURLcode result;
long lerr; long lerr;
int lib;
int reason;
connssl->connecting_state = ssl_connect_2; /* the connection failed, /* the connection failed, we're not waiting for anything else. */
we're not waiting for connssl->connecting_state = ssl_connect_2;
anything else. */
errdetail = ERR_get_error(); /* Gets the earliest error code from the /* Get the earliest error code from the thread's error queue and removes
thread's error queue and removes the the entry. */
entry. */ errdetail = ERR_get_error();
switch(errdetail) { /* Extract which lib and reason */
case 0x1407E086: lib = ERR_GET_LIB(errdetail);
/* 1407E086: reason = ERR_GET_REASON(errdetail);
SSL routines:
SSL2_SET_CERTIFICATE: if((lib == ERR_LIB_SSL) &&
certificate verify failed */ (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
/* fall-through */
case 0x14090086:
/* 14090086:
SSL routines:
SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed */
result = CURLE_SSL_CACERT; result = CURLE_SSL_CACERT;
lerr = SSL_get_verify_result(connssl->handle); lerr = SSL_get_verify_result(connssl->handle);
@@ -2136,13 +2131,11 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
else else
/* strcpy() is fine here as long as the string fits within /* strcpy() is fine here as long as the string fits within
error_buffer */ error_buffer */
strcpy(error_buffer, strcpy(error_buffer, "SSL certificate verification failed");
"SSL certificate problem, check your CA cert"); }
break; else {
default:
result = CURLE_SSL_CONNECT_ERROR; result = CURLE_SSL_CONNECT_ERROR;
SSL_strerror(errdetail, error_buffer, sizeof(error_buffer)); SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
break;
} }
/* detail is already set to the SSL error above */ /* detail is already set to the SSL error above */