mirror of
https://github.com/moparisthebest/curl
synced 2024-08-13 17:03:50 -04:00
- Improved error message for not matching certificate subject name in
libcurl-NSS. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
This commit is contained in:
parent
1d92cf1dab
commit
1a255e0e28
5
CHANGES
5
CHANGES
@ -6,6 +6,11 @@
|
|||||||
|
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
|
Kamil Dudka (28 Aug 2009)
|
||||||
|
- Improved error message for not matching certificate subject name in
|
||||||
|
libcurl-NSS. Originally reported at:
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
|
||||||
|
|
||||||
Patrick Monnerat (24 Aug 2009)
|
Patrick Monnerat (24 Aug 2009)
|
||||||
- Introduced a SYST-based test to properly set-up name format when dealing
|
- Introduced a SYST-based test to properly set-up name format when dealing
|
||||||
with the OS/400 FTP server.
|
with the OS/400 FTP server.
|
||||||
|
12
lib/nss.c
12
lib/nss.c
@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
|||||||
struct connectdata *conn = (struct connectdata *)arg;
|
struct connectdata *conn = (struct connectdata *)arg;
|
||||||
PRErrorCode err = PR_GetError();
|
PRErrorCode err = PR_GetError();
|
||||||
CERTCertificate *cert = NULL;
|
CERTCertificate *cert = NULL;
|
||||||
char *subject, *issuer;
|
char *subject, *subject_cn, *issuer;
|
||||||
|
|
||||||
if(conn->data->set.ssl.certverifyresult!=0)
|
if(conn->data->set.ssl.certverifyresult!=0)
|
||||||
return success;
|
return success;
|
||||||
@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
|||||||
conn->data->set.ssl.certverifyresult=err;
|
conn->data->set.ssl.certverifyresult=err;
|
||||||
cert = SSL_PeerCertificate(sock);
|
cert = SSL_PeerCertificate(sock);
|
||||||
subject = CERT_NameToAscii(&cert->subject);
|
subject = CERT_NameToAscii(&cert->subject);
|
||||||
|
subject_cn = CERT_GetCommonName(&cert->subject);
|
||||||
issuer = CERT_NameToAscii(&cert->issuer);
|
issuer = CERT_NameToAscii(&cert->issuer);
|
||||||
CERT_DestroyCertificate(cert);
|
CERT_DestroyCertificate(cert);
|
||||||
|
|
||||||
@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
|||||||
break;
|
break;
|
||||||
case SSL_ERROR_BAD_CERT_DOMAIN:
|
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||||
if(conn->data->set.ssl.verifyhost) {
|
if(conn->data->set.ssl.verifyhost) {
|
||||||
failf(conn->data, "common name '%s' does not match '%s'",
|
failf(conn->data, "SSL: certificate subject name '%s' does not match "
|
||||||
subject, conn->host.dispname);
|
"target host name '%s'", subject_cn, conn->host.dispname);
|
||||||
success = SECFailure;
|
success = SECFailure;
|
||||||
} else {
|
} else {
|
||||||
infof(conn->data, "warning: common name '%s' does not match '%s'\n",
|
infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
|
||||||
subject, conn->host.dispname);
|
"match target host name '%s'\n", subject_cn, conn->host.dispname);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||||
@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
|||||||
if(success == SECSuccess)
|
if(success == SECSuccess)
|
||||||
infof(conn->data, "SSL certificate verify ok.\n");
|
infof(conn->data, "SSL certificate verify ok.\n");
|
||||||
PR_Free(subject);
|
PR_Free(subject);
|
||||||
|
PR_Free(subject_cn);
|
||||||
PR_Free(issuer);
|
PR_Free(issuer);
|
||||||
|
|
||||||
return success;
|
return success;
|
||||||
|
Loading…
Reference in New Issue
Block a user