Commit 35083ca6 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

openssl: improved error detection/reporting 

... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
parent fdcc4d6d

lib/vtls/openssl.c

+18 −25
Original line number Diff line number Diff line
@@ -2104,27 +2104,22 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) 
                                    least 256 bytes long. */

      CURLcode result;

      long lerr;

      int lib;

      int reason;



      connssl->connecting_state = ssl_connect_2; /* the connection failed,

                                                    we're not waiting for

                                                    anything else. */



      errdetail = ERR_get_error(); /* Gets the earliest error code from the

                                      thread's error queue and removes the

                                      entry. */



      switch(errdetail) {

      case 0x1407E086:

        /* 1407E086:

           SSL routines:

           SSL2_SET_CERTIFICATE:

           certificate verify failed */

        /* fall-through */

      case 0x14090086:

        /* 14090086:

           SSL routines:

           SSL3_GET_SERVER_CERTIFICATE:

           certificate verify failed */

      /* the connection failed, we're not waiting for anything else. */

      connssl->connecting_state = ssl_connect_2;



      /* Get the earliest error code from the thread's error queue and removes

         the entry. */

      errdetail = ERR_get_error();



      /* Extract which lib and reason */

      lib = ERR_GET_LIB(errdetail);

      reason = ERR_GET_REASON(errdetail);



      if((lib == ERR_LIB_SSL) &&

         (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {

        result = CURLE_SSL_CACERT;



        lerr = SSL_get_verify_result(connssl->handle);
@@ -2136,13 +2131,11 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) 
        else

          /* strcpy() is fine here as long as the string fits within

             error_buffer */

          strcpy(error_buffer,

                 "SSL certificate problem, check your CA cert");

        break;

      default:

          strcpy(error_buffer, "SSL certificate verification failed");

      }

      else {

        result = CURLE_SSL_CONNECT_ERROR;

        SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));

        break;

      }



      /* detail is already set to the SSL error above */