{
return tls_error(prefix,
state && err == GNUTLS_E_FATAL_ALERT_RECEIVED
- ? US gnutls_alert_get_name(gnutls_alert_get(state->session))
+ ? string_sprintf("rxd alert: %s",
+ US gnutls_alert_get_name(gnutls_alert_get(state->session)))
: US gnutls_strerror(err),
state ? state->host : NULL,
errstr);
if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
- else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > 0)
+ else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) != OK)
return rc;
else
{
if (!state->lib_state.conn_certs)
{
- if (!Expand_check_tlsvar(tls_certificate, errstr))
+ if ( !Expand_check_tlsvar(tls_certificate, errstr)
+ || f.expand_string_forcedfail)
+ {
+ if (f.expand_string_forcedfail)
+ *errstr = US"expansion of tls_certificate failed";
return DEFER;
+ }
/* certificate is mandatory in server, optional in client */
else
DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
- if (state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr))
+ if ( state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr)
+ || f.expand_string_forcedfail
+ )
+ {
+ if (f.expand_string_forcedfail)
+ *errstr = US"expansion of tls_privatekey failed";
return DEFER;
+ }
/* tls_privatekey is optional, defaulting to same file as certificate */
tls_ocsp_file,
#endif
errstr)
- ) ) return rc;
+ ) )
+ {
+ DEBUG(D_tls) debug_printf("load-cert: '%s'\n", *errstr);
+ return rc;
+ }
}
}
else
{
/* If the setup of certs/etc failed before handshake, TLS would not have
been offered. The best we can do now is abort. */
- return GNUTLS_E_APPLICATION_ERROR_MIN;
+ DEBUG(D_tls) debug_printf("expansion for SNI-dependent session files failed\n");
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
rc = tls_set_remaining_x509(state, &dummy_errstr);
-if (rc != OK) return GNUTLS_E_APPLICATION_ERROR_MIN;
+if (rc != OK) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
return 0;
}