git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
43d1f6c
)
Debug: output GnuTLS verbose reason for certificate verify refusal
author
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 7 Oct 2018 23:12:08 +0000
(
00:12
+0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 7 Oct 2018 23:13:34 +0000
(
00:13
+0100)
src/src/tls-gnu.c
patch
|
blob
|
history
diff --git
a/src/src/tls-gnu.c
b/src/src/tls-gnu.c
index 1430f2f3c56fd3acb90132d009c33e17a46fabeb..86d005d683a54d748a747fe8c5d68aaf9a03f2c5 100644
(file)
--- a/
src/src/tls-gnu.c
+++ b/
src/src/tls-gnu.c
@@
-39,6
+39,7
@@
require current GnuTLS, then we'll drop support for the ancient libraries).
#include <gnutls/x509.h>
/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
#include <gnutls/crypto.h>
#include <gnutls/x509.h>
/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
#include <gnutls/crypto.h>
+
/* needed to disable PKCS11 autoload unless requested */
#if GNUTLS_VERSION_NUMBER >= 0x020c00
# include <gnutls/pkcs11.h>
/* needed to disable PKCS11 autoload unless requested */
#if GNUTLS_VERSION_NUMBER >= 0x020c00
# include <gnutls/pkcs11.h>
@@
-60,6
+61,9
@@
require current GnuTLS, then we'll drop support for the ancient libraries).
#if GNUTLS_VERSION_NUMBER >= 0x030014
# define SUPPORT_SYSDEFAULT_CABUNDLE
#endif
#if GNUTLS_VERSION_NUMBER >= 0x030014
# define SUPPORT_SYSDEFAULT_CABUNDLE
#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030104
+# define GNUTLS_CERT_VFY_STATUS_PRINT
+#endif
#if GNUTLS_VERSION_NUMBER >= 0x030109
# define SUPPORT_CORK
#endif
#if GNUTLS_VERSION_NUMBER >= 0x030109
# define SUPPORT_CORK
#endif
@@
-1743,8
+1747,24
@@
if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
{
state->peer_cert_verified = FALSE;
if (!*errstr)
{
state->peer_cert_verified = FALSE;
if (!*errstr)
+ {
+#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
+ DEBUG(D_tls)
+ {
+ gnutls_datum_t txt;
+
+ if (gnutls_certificate_verification_status_print(verify,
+ gnutls_certificate_type_get(state->session), &txt, 0)
+ == GNUTLS_E_SUCCESS)
+ {
+ debug_printf("%s\n", txt.data);
+ gnutls_free(txt.data);
+ }
+ }
+#endif
*errstr = verify & GNUTLS_CERT_REVOKED
? US"certificate revoked" : US"certificate invalid";
*errstr = verify & GNUTLS_CERT_REVOKED
? US"certificate revoked" : US"certificate invalid";
+ }
DEBUG(D_tls)
debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
DEBUG(D_tls)
debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",