[Spice-devel] [spice-common 2/3] ssl: Log an error when peer certificate verification failed
Christophe Fergeau
cfergeau at redhat.com
Fri Sep 20 08:07:35 PDT 2013
We currently log an error when openssl_verify() is called with
preverify_ok set to 0 for all certificates in the certificate chain
except for the peer certificate (when 'depth' is 0).
This commit logs an error in the latter case as well.
---
common/ssl_verify.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index d4b89f0..7af78bc 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -456,8 +456,16 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
}
- if (!v->all_preverify_ok || !preverify_ok)
+ if (!preverify_ok) {
+ err = X509_STORE_CTX_get_error(ctx);
+ depth = X509_STORE_CTX_get_error_depth(ctx);
+ spice_warning("Error in server certificate verification: %s (num=%d:depth%d:%s)",
+ X509_verify_cert_error_string(err), err, depth, buf);
return 0;
+ }
+ if (!v->all_preverify_ok) {
+ return 0;
+ }
if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME) {
if (verify_hostname(cert, v->hostname))
--
1.8.3.1
More information about the Spice-devel
mailing list