I renamed the CURLE_SSL_PEER_CERTIFICATE error code to

CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made this
return code get used by the previous SSH MD5 fingerprint check in case it
fails.

CHANGES

@@ -7,6 +7,11 @@
                                   Changelog
 
 Daniel S (3 October 2007)
+- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
+  CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made
+  this return code get used by the previous SSH MD5 fingerprint check in case
+  it fails.
+
 - Based on a patch brought by Johnny Luong, libcurl now offers
   CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both
   make the SCP or SFTP connection verify the remote host's md5 checksum of the

docs/curl.1

@@ -1512,7 +1512,7 @@ Unknown TELNET option specified.
 .IP 49
 Malformed telnet option.
 .IP 51
-The remote peer's SSL certificate wasn't ok
+The peer's SSL certificate or SSH MD5 fingerprint was not ok
 .IP 52
 The server didn't reply anything, which here is considered an error.
 .IP 53

docs/libcurl/libcurl-errors.3

@@ -148,8 +148,8 @@ An option set with CURLOPT_TELNETOPTIONS was not recognized/known. Refer to
 the appropriate documentation.
 .IP "CURLE_TELNET_OPTION_SYNTAX (49)"
 A telnet option string was Illegally formatted.
-.IP "CURLE_SSL_PEER_CERTIFICATE (51)"
+.IP "CURLE_PEER_FAILED_VERIFICATION (51)"
-The remote server's SSL certificate was deemed not OK.
+The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK.
 .IP "CURLE_GOT_NOTHING (52)"
 Nothing was returned from the server, and under the circumstances, getting
 nothing is considered an error.

include/curl/curl.h

@@ -367,7 +367,8 @@ typedef enum {
   CURLE_UNKNOWN_TELNET_OPTION,   /* 48 - User specified an unknown option */
   CURLE_TELNET_OPTION_SYNTAX ,   /* 49 - Malformed telnet option */
   CURLE_OBSOLETE50,              /* 50 - NOT USED */
-  CURLE_SSL_PEER_CERTIFICATE,    /* 51 - peer's certificate wasn't ok */
+  CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
+                                     wasn't verified fine */
   CURLE_GOT_NOTHING,             /* 52 - when this is a specific error */
   CURLE_SSL_ENGINE_NOTFOUND,     /* 53 - SSL crypto engine not found */
   CURLE_SSL_ENGINE_SETFAILED,    /* 54 - can not set SSL crypto engine as
@@ -416,9 +417,13 @@ typedef enum {
                           the obsolete stuff removed! */
 
 /* Backwards compatibility with older names */
+
+/* The following were added in 7.17.1 */
 /* These are scheduled to disappear by 2009 */
+#define CURLE_SSL_PEER_CERTIFICATE CURLE_PEER_FAILED_VERIFICATION
 
 /* The following were added in 7.17.0 */
+/* These are scheduled to disappear by 2009 */
 #define CURLE_OBSOLETE CURLE_OBSOLETE50 /* noone should be using this! */
 #define CURLE_BAD_PASSWORD_ENTERED CURLE_OBSOLETE46
 #define CURLE_BAD_CALLING_ORDER CURLE_OBSOLETE44

lib/gtls.c

@@ -352,7 +352,7 @@ Curl_gtls_connect(struct connectdata *conn,
   if(!chainp) {
     if(data->set.ssl.verifyhost) {
       failf(data, "failed to get server cert");
-      return CURLE_SSL_PEER_CERTIFICATE;
+      return CURLE_PEER_FAILED_VERIFICATION;
     }
     infof(data, "\t common name: WARNING couldn't obtain\n");
   }
@@ -413,7 +413,7 @@ Curl_gtls_connect(struct connectdata *conn,
       failf(data, "SSL: certificate subject name (%s) does not match "
             "target host name '%s'", certbuf, conn->host.dispname);
       gnutls_x509_crt_deinit(x509_cert);
-      return CURLE_SSL_PEER_CERTIFICATE;
+      return CURLE_PEER_FAILED_VERIFICATION;
     }
     else
       infof(data, "\t common name: %s (does not match '%s')\n",
@@ -433,7 +433,7 @@ Curl_gtls_connect(struct connectdata *conn,
   if(clock < time(NULL)) {
     if (data->set.ssl.verifypeer) {
       failf(data, "server certificate expiration date has passed.");
-      return CURLE_SSL_PEER_CERTIFICATE;
+      return CURLE_PEER_FAILED_VERIFICATION;
     }
     else
       infof(data, "\t server certificate expiration date FAILED\n");
@@ -451,7 +451,7 @@ Curl_gtls_connect(struct connectdata *conn,
   if(clock > time(NULL)) {
     if (data->set.ssl.verifypeer) {
       failf(data, "server certificate not activated yet.");
-      return CURLE_SSL_PEER_CERTIFICATE;
+      return CURLE_PEER_FAILED_VERIFICATION;
     }
     else
       infof(data, "\t server certificate activation date FAILED\n");

lib/qssl.c

@@ -220,7 +220,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
   case SSL_ERROR_BAD_CERTIFICATE:
   case SSL_ERROR_BAD_CERT_SIG:
   case SSL_ERROR_NOT_TRUSTED_ROOT:
-    return CURLE_SSL_PEER_CERTIFICATE;
+    return CURLE_PEER_FAILED_VERIFICATION;
 
   case SSL_ERROR_BAD_CIPHER_SUITE:
   case SSL_ERROR_NO_CIPHERS:

lib/ssh.c

@@ -371,7 +371,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
                 "Remote %s is not equal to %s",
                 buf, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
           state(conn, SSH_SESSION_FREE);
-          sshc->actualCode = CURLE_FAILED_INIT;
+          sshc->actualCode = CURLE_PEER_FAILED_VERIFICATION;
           break;
         }
       }

lib/ssluse.c

@@ -1121,13 +1121,13 @@ static CURLcode verifyhost(struct connectdata *conn,
     if (!peer_CN) {
       failf(data,
             "SSL: unable to obtain common name from peer certificate");
-      return CURLE_SSL_PEER_CERTIFICATE;
+      return CURLE_PEER_FAILED_VERIFICATION;
     }
     else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
       if(data->set.ssl.verifyhost > 1) {
         failf(data, "SSL: certificate subject name '%s' does not match "
               "target host name '%s'", peer_CN, conn->host.dispname);
-        res = CURLE_SSL_PEER_CERTIFICATE;
+        res = CURLE_PEER_FAILED_VERIFICATION;
       }
       else
         infof(data, "\t common name: %s (does not match '%s')\n",
@@ -1624,7 +1624,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
   connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
   if(!connssl->server_cert) {
     failf(data, "SSL: couldn't get peer certificate!");
-    return CURLE_SSL_PEER_CERTIFICATE;
+    return CURLE_PEER_FAILED_VERIFICATION;
   }
   infof (data, "Server certificate:\n");
 
@@ -1675,7 +1675,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
            and we return earlyer if verifypeer is set? */
         failf(data, "SSL certificate verify result: %s (%ld)",
               X509_verify_cert_error_string(lerr), lerr);
-        retcode = CURLE_SSL_PEER_CERTIFICATE;
+        retcode = CURLE_PEER_FAILED_VERIFICATION;
       }
       else
         infof(data, "SSL certificate verify result: %s (%ld),"

lib/strerror.c

@@ -174,8 +174,8 @@ curl_easy_strerror(CURLcode error)
   case CURLE_TELNET_OPTION_SYNTAX :
     return "Malformed telnet option";
 
-  case CURLE_SSL_PEER_CERTIFICATE:
+  case CURLE_PEER_FAILED_VERIFICATION:
-    return "SSL peer certificate was not OK";
+    return "SSL peer certificate or SSH md5 fingerprint was not OK";
 
   case CURLE_GOT_NOTHING:
     return "Server returned nothing (no headers, no data)";