- Improved error message for not matching certificate subject name in

                                  Changelog

Kamil Dudka (28 Aug 2009)

- Improved error message for not matching certificate subject name in

  libcurl-NSS. Originally reported at:

  https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9

Patrick Monnerat (24 Aug 2009)

- Introduced a SYST-based test to properly set-up name format when dealing

  with the OS/400 FTP server.

  struct connectdata *conn = (struct connectdata *)arg;

  PRErrorCode err = PR_GetError();

  CERTCertificate *cert = NULL;

  char *subject, *issuer;

  char *subject, *subject_cn, *issuer;

  if(conn->data->set.ssl.certverifyresult!=0)

    return success;

  conn->data->set.ssl.certverifyresult=err;

  cert = SSL_PeerCertificate(sock);

  subject = CERT_NameToAscii(&cert->subject);

  subject_cn = CERT_GetCommonName(&cert->subject);

  issuer = CERT_NameToAscii(&cert->issuer);

  CERT_DestroyCertificate(cert);

    break;

  case SSL_ERROR_BAD_CERT_DOMAIN:

    if(conn->data->set.ssl.verifyhost) {

      failf(conn->data, "common name '%s' does not match '%s'",

            subject, conn->host.dispname);

      failf(conn->data, "SSL: certificate subject name '%s' does not match "

            "target host name '%s'", subject_cn, conn->host.dispname);

      success = SECFailure;

    } else {

      infof(conn->data, "warning: common name '%s' does not match '%s'\n",

            subject, conn->host.dispname);

      infof(conn->data, "warning: SSL: certificate subject name '%s' does not "

            "match target host name '%s'\n", subject_cn, conn->host.dispname);

    }

    break;

  case SEC_ERROR_EXPIRED_CERTIFICATE:

  if(success == SECSuccess)

    infof(conn->data, "SSL certificate verify ok.\n");

  PR_Free(subject);

  PR_Free(subject_cn);

  PR_Free(issuer);

  return success;