summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristophe Fergeau <cfergeau@redhat.com>2012-06-22 10:23:15 +0200
committerChristophe Fergeau <cfergeau@redhat.com>2012-06-25 14:59:59 +0200
commitbf5511033d5d6fb98cd597699a725183ae078b62 (patch)
treeb7f9659c53fbafda557ac4bc805a19329b10be7c
parent800784df439b50f810b78b6b30a54c91f9ace36c (diff)
ssl: more verbose output when SSL verification fails
This should make SSL connection failures easier to diagnose.
-rw-r--r--common/ssl_verify.c41
1 files changed, 32 insertions, 9 deletions
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 3667b2e..56b25ac 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -413,6 +413,7 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
SSL *ssl;
X509* cert;
char buf[256];
+ unsigned int failed_verifications;
ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
v = (SpiceOpenSSLVerify*)SSL_get_app_data(ssl);
@@ -444,20 +445,42 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
return 0;
}
- if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY &&
- verify_pubkey(cert, v->pubkey, v->pubkey_size))
- return 1;
+ failed_verifications = 0;
+ if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY)
+ if (verify_pubkey(cert, v->pubkey, v->pubkey_size))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
if (!v->all_preverify_ok || !preverify_ok)
return 0;
- if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME &&
- verify_hostname(cert, v->hostname))
- return 1;
+ if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME)
+ if (verify_hostname(cert, v->hostname))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_HOSTNAME;
- if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT &&
- verify_subject(cert, v))
- return 1;
+
+ if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT)
+ if (verify_subject(cert, v))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_SUBJECT;
+
+ /* If we reach this code, this means all the tests failed, thus
+ * verification failed
+ */
+ if (failed_verifications & SPICE_SSL_VERIFY_OP_PUBKEY)
+ spice_warning("ssl: pubkey verification failed");
+
+ if (failed_verifications & SPICE_SSL_VERIFY_OP_HOSTNAME)
+ spice_warning("ssl: hostname '%s' verification failed", v->hostname);
+
+ if (failed_verifications & SPICE_SSL_VERIFY_OP_SUBJECT)
+ spice_warning("ssl: subject '%s' verification failed", v->subject);
+
+ spice_warning("ssl: verification failed");
return 0;
}