[Spice-devel] [PATCH] ssl: more verbose output when SSL verification fails
Christophe Fergeau
cfergeau at redhat.com
Fri Jun 22 02:55:13 PDT 2012
This should make SSL connection failures easier to diagnose.
---
common/ssl_verify.c | 41 ++++++++++++++++++++++++++++++++---------
1 file changed, 32 insertions(+), 9 deletions(-)
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 3667b2e..56b25ac 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -413,6 +413,7 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
SSL *ssl;
X509* cert;
char buf[256];
+ unsigned int failed_verifications;
ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
v = (SpiceOpenSSLVerify*)SSL_get_app_data(ssl);
@@ -444,20 +445,42 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
return 0;
}
- if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY &&
- verify_pubkey(cert, v->pubkey, v->pubkey_size))
- return 1;
+ failed_verifications = 0;
+ if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY)
+ if (verify_pubkey(cert, v->pubkey, v->pubkey_size))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
if (!v->all_preverify_ok || !preverify_ok)
return 0;
- if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME &&
- verify_hostname(cert, v->hostname))
- return 1;
+ if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME)
+ if (verify_hostname(cert, v->hostname))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_HOSTNAME;
- if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT &&
- verify_subject(cert, v))
- return 1;
+
+ if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT)
+ if (verify_subject(cert, v))
+ return 1;
+ else
+ failed_verifications |= SPICE_SSL_VERIFY_OP_SUBJECT;
+
+ /* If we reach this code, this means all the tests failed, thus
+ * verification failed
+ */
+ if (failed_verifications & SPICE_SSL_VERIFY_OP_PUBKEY)
+ spice_warning("ssl: pubkey verification failed");
+
+ if (failed_verifications & SPICE_SSL_VERIFY_OP_HOSTNAME)
+ spice_warning("ssl: hostname '%s' verification failed", v->hostname);
+
+ if (failed_verifications & SPICE_SSL_VERIFY_OP_SUBJECT)
+ spice_warning("ssl: subject '%s' verification failed", v->subject);
+
+ spice_warning("ssl: verification failed");
return 0;
}
--
1.7.10.2
More information about the Spice-devel
mailing list