From 2f3c65f352086b557a5a9dcf2b54eda08a7962f8 Mon Sep 17 00:00:00 2001
From: Klee Dienes <klee@mit.edu>
Date: Sat, 6 Jul 2013 17:00:02 -0400
Subject: tls_ctx_load_ca: Improve certificate error messages

If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file".  Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.

Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <CAK6ywbLVtSgRZEt4N+02fz+vQ0GNp==5KdsbqWtZ+fgUzrZq+g@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7837

Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9927cdbd929bebbba0d15bb9a6b03453891a485b)
---
 src/openvpn/ssl_openssl.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

(limited to 'src/openvpn/ssl_openssl.c')

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 82dc21f..7c279cb 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -745,7 +745,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
   X509_STORE *store = NULL;
   X509_NAME *xn = NULL;
   BIO *in = NULL;
-  int i, added = 0;
+  int i, added = 0, prev = 0;
 
   ASSERT(NULL != ctx);
 
@@ -772,6 +772,11 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
               if (info->crl)
                   X509_STORE_add_crl (store, info->crl);
 
+              if (tls_server && !info->x509)
+                {
+                  msg (M_SSLERR, "X509 name was missing in TLS mode");
+                }
+
               if (info->x509)
                 {
                   X509_STORE_add_cert (store, info->x509);
@@ -801,6 +806,15 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
                       sk_X509_NAME_push (cert_names, xn);
                     }
                 }
+
+              if (tls_server) {
+                int cnum = sk_X509_NAME_num (cert_names);
+                if (cnum != (prev + 1)) {
+                  msg (M_WARN, "Cannot load CA certificate file %s (entry %d did not validate)", np(ca_file), added);
+                }
+                prev = cnum;
+              }
+
             }
           sk_X509_INFO_pop_free (info_stack, X509_INFO_free);
         }
@@ -808,8 +822,15 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
       if (tls_server)
         SSL_CTX_set_client_CA_list (ctx->ctx, cert_names);
 
-      if (!added || (tls_server && sk_X509_NAME_num (cert_names) != added))
-        msg (M_SSLERR, "Cannot load CA certificate file %s", np(ca_file));
+      if (!added)
+        msg (M_SSLERR, "Cannot load CA certificate file %s (no entries were read)", np(ca_file));
+
+      if (tls_server) {
+        int cnum = sk_X509_NAME_num (cert_names);
+        if (cnum != added)
+          msg (M_SSLERR, "Cannot load CA certificate file %s (only %d of %d entries were valid X509 names)", np(ca_file), cnum, added);
+      }
+
       if (in)
         BIO_free (in);
     }
-- 
cgit