[Spice-devel] [PATCH] ssl: more verbose output when SSL verification fails

Marc-André Lureau marcandre.lureau at gmail.com
Fri Jun 22 05:51:40 PDT 2012 

ack

On Fri, Jun 22, 2012 at 11:55 AM, Christophe Fergeau
<cfergeau at redhat.com> wrote:
> This should make SSL connection failures easier to diagnose.
> ---
>  common/ssl_verify.c |   41 ++++++++++++++++++++++++++++++++---------
>  1 file changed, 32 insertions(+), 9 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 3667b2e..56b25ac 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -413,6 +413,7 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
>     SSL *ssl;
>     X509* cert;
>     char buf[256];
> +    unsigned int failed_verifications;
>
>     ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
>     v = (SpiceOpenSSLVerify*)SSL_get_app_data(ssl);
> @@ -444,20 +445,42 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
>         return 0;
>     }
>
> -    if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY &&
> -        verify_pubkey(cert, v->pubkey, v->pubkey_size))
> -        return 1;
> +    failed_verifications = 0;
> +    if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY)
> +        if (verify_pubkey(cert, v->pubkey, v->pubkey_size))
> +            return 1;
> +        else
> +            failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
>
>     if (!v->all_preverify_ok || !preverify_ok)
>         return 0;
>
> -    if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME &&
> -        verify_hostname(cert, v->hostname))
> -        return 1;
> +    if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME)
> +       if (verify_hostname(cert, v->hostname))
> +           return 1;
> +        else
> +            failed_verifications |= SPICE_SSL_VERIFY_OP_HOSTNAME;
>
> -    if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT &&
> -        verify_subject(cert, v))
> -        return 1;
> +
> +    if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT)
> +        if (verify_subject(cert, v))
> +            return 1;
> +        else
> +            failed_verifications |= SPICE_SSL_VERIFY_OP_SUBJECT;
> +
> +    /* If we reach this code, this means all the tests failed, thus
> +     * verification failed
> +     */
> +    if (failed_verifications & SPICE_SSL_VERIFY_OP_PUBKEY)
> +        spice_warning("ssl: pubkey verification failed");
> +
> +    if (failed_verifications & SPICE_SSL_VERIFY_OP_HOSTNAME)
> +        spice_warning("ssl: hostname '%s' verification failed", v->hostname);
> +
> +    if (failed_verifications & SPICE_SSL_VERIFY_OP_SUBJECT)
> +        spice_warning("ssl: subject '%s' verification failed", v->subject);
> +
> +    spice_warning("ssl: verification failed");
>
>     return 0;
>  }
> --
> 1.7.10.2
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel



-- 
Marc-André Lureau

More information about the Spice-devel mailing list