[Spice-devel] [PATCH spice-common] ssl-verify: use more explicit error message
Christophe Fergeau
cfergeau at redhat.com
Fri Oct 19 01:37:38 PDT 2012
ACK
(I don't know if the error message is fully accurate, but this can be
improved on later)
Christophe
On Thu, Oct 18, 2012 at 09:23:12PM +0200, Marc-André Lureau wrote:
> When the server certificate is not being signed by the provided CA,
> the SSL debug message is currently for example:
>
> ssl_verify.c:428:openssl_verify: openssl verify:num=19:self signed
> certificate in certificate chain:depth=1:/C=IL/L=Raanana/O=Red
> Hat/CN=my CA
>
> Add a more explicit debug message too, as requested in bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=846666
> ---
> common/ssl_verify.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 6c9deca..e10ed52 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -434,6 +434,9 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
> v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY)
> return 1;
>
> + if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
> + spice_debug("server certificate not being signed by the provided CA");
> +
> return 0;
> } else
> return 1;
> --
> 1.7.11.7
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20121019/6fe4d5ec/attachment.pgp>
More information about the Spice-devel
mailing list