gnutls: Report actual GnuTLS error message for certificate errors

If GnuTLS fails to read the certificate then include whatever reason it provides in the failure message reported to the client. Signed-off-by: Mike Crowe <mac@mcrowe.com>
2024-12-21 23:58:49 -05:00 · 2015-09-23 13:31:29 +02:00 · 2015-09-23 13:31:29 +02:00 · 5f87906e0e
commit 5f87906e0e
parent 684bf30802
1 changed files with 10 additions and 8 deletions
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -663,17 +663,18 @@ gtls_connect_step1(struct connectdata *conn,
        GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
        GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
        GNUTLS_PKCS_USE_PBES2_AES_256;
-      if(gnutls_certificate_set_x509_key_file2(
+      rc = gnutls_certificate_set_x509_key_file2(
           conn->ssl[sockindex].cred,
           data->set.str[STRING_CERT],
           data->set.str[STRING_KEY] ?
           data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
           do_file_type(data->set.str[STRING_CERT_TYPE]),
           data->set.str[STRING_KEY_PASSWD],
-           supported_key_encryption_algorithms) !=
-         GNUTLS_E_SUCCESS) {
+           supported_key_encryption_algorithms);
+      if(rc != GNUTLS_E_SUCCESS) {
        failf(data,
-              "error reading X.509 potentially-encrypted key file");
+              "error reading X.509 potentially-encrypted key file: %s",
+              gnutls_strerror(rc));
        return CURLE_SSL_CONNECT_ERROR;
 #else
        failf(data, "gnutls lacks support for encrypted key files");
@ -682,14 +683,15 @@ gtls_connect_step1(struct connectdata *conn,
      }
    }
    else {
-      if(gnutls_certificate_set_x509_key_file(
+      rc = gnutls_certificate_set_x509_key_file(
           conn->ssl[sockindex].cred,
           data->set.str[STRING_CERT],
           data->set.str[STRING_KEY] ?
           data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
-           do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
-         GNUTLS_E_SUCCESS) {
-        failf(data, "error reading X.509 key or certificate file");
+           do_file_type(data->set.str[STRING_CERT_TYPE]) );
+      if(rc != GNUTLS_E_SUCCESS) {
+        failf(data, "error reading X.509 key or certificate file: %s",
+              gnutls_strerror(rc));
        return CURLE_SSL_CONNECT_ERROR;
      }
    }