diff options
| author | Klee Dienes <klee@mit.edu> | 2013-07-06 17:00:02 -0400 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2013-11-15 17:20:36 +0100 |
| commit | 2f3c65f352086b557a5a9dcf2b54eda08a7962f8 (patch) | |
| tree | 215442596b729a769f78f3b35224080f61daf261 /src/openvpn/ssl_openssl.c | |
| parent | ca2c4a9da769ceefd7e79829362ed054f667536b (diff) | |
| download | openvpn-2f3c65f352086b557a5a9dcf2b54eda08a7962f8.tar.gz openvpn-2f3c65f352086b557a5a9dcf2b54eda08a7962f8.tar.xz openvpn-2f3c65f352086b557a5a9dcf2b54eda08a7962f8.zip | |
tls_ctx_load_ca: Improve certificate error messages
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <CAK6ywbLVtSgRZEt4N+02fz+vQ0GNp==5KdsbqWtZ+fgUzrZq+g@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7837
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9927cdbd929bebbba0d15bb9a6b03453891a485b)
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
| -rw-r--r-- | src/openvpn/ssl_openssl.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 82dc21f..7c279cb 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -745,7 +745,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, X509_STORE *store = NULL; X509_NAME *xn = NULL; BIO *in = NULL; - int i, added = 0; + int i, added = 0, prev = 0; ASSERT(NULL != ctx); @@ -772,6 +772,11 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, if (info->crl) X509_STORE_add_crl (store, info->crl); + if (tls_server && !info->x509) + { + msg (M_SSLERR, "X509 name was missing in TLS mode"); + } + if (info->x509) { X509_STORE_add_cert (store, info->x509); @@ -801,6 +806,15 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, sk_X509_NAME_push (cert_names, xn); } } + + if (tls_server) { + int cnum = sk_X509_NAME_num (cert_names); + if (cnum != (prev + 1)) { + msg (M_WARN, "Cannot load CA certificate file %s (entry %d did not validate)", np(ca_file), added); + } + prev = cnum; + } + } sk_X509_INFO_pop_free (info_stack, X509_INFO_free); } @@ -808,8 +822,15 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, if (tls_server) SSL_CTX_set_client_CA_list (ctx->ctx, cert_names); - if (!added || (tls_server && sk_X509_NAME_num (cert_names) != added)) - msg (M_SSLERR, "Cannot load CA certificate file %s", np(ca_file)); + if (!added) + msg (M_SSLERR, "Cannot load CA certificate file %s (no entries were read)", np(ca_file)); + + if (tls_server) { + int cnum = sk_X509_NAME_num (cert_names); + if (cnum != added) + msg (M_SSLERR, "Cannot load CA certificate file %s (only %d of %d entries were valid X509 names)", np(ca_file), cnum, added); + } + if (in) BIO_free (in); } |