cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] gnutls: Report actual GnuTLS error message for certificate errors

From: Mike Crowe <mac_at_mcrowe.com>
Date: Wed, 23 Sep 2015 12:31:29 +0100

If GnuTLS fails to read the certificate then include whatever reason it
provides in the failure message reported to the client.

Signed-off-by: Mike Crowe <mac_at_mcrowe.com>

---
 lib/vtls/gtls.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 1a41c05..e66a044 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -663,17 +663,18 @@ gtls_connect_step1(struct connectdata *conn,
         GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
         GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
         GNUTLS_PKCS_USE_PBES2_AES_256;
-      if(gnutls_certificate_set_x509_key_file2(
+      rc = gnutls_certificate_set_x509_key_file2(
            conn->ssl[sockindex].cred,
            data->set.str[STRING_CERT],
            data->set.str[STRING_KEY] ?
            data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
            do_file_type(data->set.str[STRING_CERT_TYPE]),
            data->set.str[STRING_KEY_PASSWD],
-           supported_key_encryption_algorithms) !=
-         GNUTLS_E_SUCCESS) {
+           supported_key_encryption_algorithms);
+      if (rc != GNUTLS_E_SUCCESS) {
         failf(data,
-              "error reading X.509 potentially-encrypted key file");
+              "error reading X.509 potentially-encrypted key file: %s",
+              gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
 #else
         failf(data, "gnutls lacks support for encrypted key files");
@@ -682,14 +683,15 @@ gtls_connect_step1(struct connectdata *conn,
       }
     }
     else {
-      if(gnutls_certificate_set_x509_key_file(
+      rc = gnutls_certificate_set_x509_key_file(
            conn->ssl[sockindex].cred,
            data->set.str[STRING_CERT],
            data->set.str[STRING_KEY] ?
            data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
-           do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
-         GNUTLS_E_SUCCESS) {
-        failf(data, "error reading X.509 key or certificate file");
+           do_file_type(data->set.str[STRING_CERT_TYPE]) );
+      if (rc != GNUTLS_E_SUCCESS) {
+        failf(data, "error reading X.509 key or certificate file: %s",
+              gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
       }
     }
-- 
2.1.4
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-09-23

This message: [ Message body ]
Next message: Mike Crowe: "Re: [PATCH] gnutls: Support CURLOPT_KEYPASSWD using gnutls_certificate_set_x509_key_file2"
Previous message: Daniel Stenberg: "Re: Introducing CURL_HAS() ?"
Next in thread: Daniel Stenberg: "Re: [PATCH] gnutls: Report actual GnuTLS error message for certificate errors"
Reply: Daniel Stenberg: "Re: [PATCH] gnutls: Report actual GnuTLS error message for certificate errors"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]