moparisthebest
/
wget
mirror of https://github.com/moparisthebest/wget
1
0
Fork 0
Code Issues Releases Wiki Activity

[svn] Print separate error messages for frequent X509 certificate problems.

This commit is contained in:
hniksic 2005-07-07 08:31:37 -07:00
parent 7d773e86b7
commit d3617fbcf0
2 changed files with 32 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ChangeLog
View File

@ -1,3 +1,8 @@
2005-07-07 Hrvoje Niksic <hniksic@xemacs.org>
* openssl.c (ssl_check_certificate): Print custom error messages
for frequent X509 certificate problems.
2005-07-07 Hrvoje Niksic <hniksic@xemacs.org>
* mswindows.h: Define an alias for stat and fstat, as requested by

39
src/openssl.c
View File

@ -509,19 +509,34 @@ ssl_check_certificate (int fd, const char *host)
vresult = SSL_get_verify_result (conn);
if (vresult != X509_V_OK)
{
/* #### We might want to print saner (and translatable) error
messages for several frequently encountered errors. The
candidates would include
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
and possibly others. The current approach would still be
used for the less frequent failure cases. */
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
logprintf (LOG_NOTQUIET,
_("%s: Certificate verification error for %s: %s\n"),
severity, escnonprint (host),
X509_verify_cert_error_string (vresult));
_("%s: cannot verify %s's certificate, issued by `%s':\n"),
severity, escnonprint (host), escnonprint (issuer));
/* Try to print more user-friendly (and translated) messages for
the frequent verification errors. */
switch (vresult)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
logprintf (LOG_NOTQUIET,
_(" Unable to locally verify the issuer's authority.\n"));
break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n"));
break;
default:
/* For the less frequent error strings, simply provide the
OpenSSL error message. */
logprintf (LOG_NOTQUIET, " %s\n",
X509_verify_cert_error_string (vresult));
}
success = false;
/* Fall through, so that the user is warned about *all* issues
with the cert (important with --no-check-certificate.) */