moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

[svn] Print all issues with a certificate.

Browse Source
This commit is contained in:
hniksic 2005-05-16 13:32:55 -07:00
parent 857c3e2ca4
commit a039ae12fe
2 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ChangeLog
View File

@ -1,3 +1,8 @@
2005-05-16 Hrvoje Niksic <hniksic@xemacs.org>
* openssl.c (ssl_check_certificate): Print all issues with a
certificate.
2005-05-16 Hrvoje Niksic <hniksic@xemacs.org> 2005-05-16 Hrvoje Niksic <hniksic@xemacs.org>
* ftp-basic.c: Don't xfree() the line returned by ftp_response if * ftp-basic.c: Don't xfree() the line returned by ftp_response if

24
src/openssl.c
View File

@ -412,7 +412,7 @@ ssl_check_certificate (int fd, const char *host)
X509 *cert; X509 *cert;
char common_name[256]; char common_name[256];
long vresult; long vresult;
int success; int success = 1;
/* If the user has specified --no-check-cert, we still want to warn /* If the user has specified --no-check-cert, we still want to warn
him about problems with the server's certificate. */ him about problems with the server's certificate. */
@ -427,7 +427,7 @@ ssl_check_certificate (int fd, const char *host)
logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"), logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"),
severity, escnonprint (host)); severity, escnonprint (host));
success = 0; success = 0;
goto out; goto out; /* must bail out since CERT is NULL */
} }
#ifdef ENABLE_DEBUG #ifdef ENABLE_DEBUG
@ -445,12 +445,22 @@ ssl_check_certificate (int fd, const char *host)
vresult = SSL_get_verify_result (ssl); vresult = SSL_get_verify_result (ssl);
if (vresult != X509_V_OK) if (vresult != X509_V_OK)
{ {
/* #### We might want to print saner (and translatable) error
messages for several frequently encountered errors. The
candidates would include
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
and possibly others. The current approach would still be
used for the less frequent failure cases. */
logprintf (LOG_NOTQUIET, logprintf (LOG_NOTQUIET,
_("%s: Certificate verification error for %s: %s\n"), _("%s: Certificate verification error for %s: %s\n"),
severity, escnonprint (host), severity, escnonprint (host),
X509_verify_cert_error_string (vresult)); X509_verify_cert_error_string (vresult));
success = 0; success = 0;
goto out; /* Fall through, so that the user is warned about *all* issues
with the cert (important with --no-check-certificate.) */
} }
/* Check that HOST matches the common name in the certificate. /* Check that HOST matches the common name in the certificate.
@ -476,13 +486,11 @@ ssl_check_certificate (int fd, const char *host)
%s: certificate common name `%s' doesn't match requested host name `%s'.\n"), %s: certificate common name `%s' doesn't match requested host name `%s'.\n"),
severity, escnonprint (common_name), escnonprint (host)); severity, escnonprint (common_name), escnonprint (host));
success = 0; success = 0;
goto out;
} }
/* The certificate was found, verified, and matched HOST. */ if (success)
success = 1; DEBUGP (("X509 certificate successfully verified and matches host %s\n",
DEBUGP (("X509 certificate successfully verified and matches host %s\n", escnonprint (host)));
escnonprint (host)));
out: out:
if (cert) if (cert)