mirror of
https://github.com/moparisthebest/wget
synced 2024-07-03 16:38:41 -04:00
[svn] Print separate error messages for frequent X509 certificate problems.
This commit is contained in:
parent
7d773e86b7
commit
d3617fbcf0
@ -1,3 +1,8 @@
|
||||
2005-07-07 Hrvoje Niksic <hniksic@xemacs.org>
|
||||
|
||||
* openssl.c (ssl_check_certificate): Print custom error messages
|
||||
for frequent X509 certificate problems.
|
||||
|
||||
2005-07-07 Hrvoje Niksic <hniksic@xemacs.org>
|
||||
|
||||
* mswindows.h: Define an alias for stat and fstat, as requested by
|
||||
|
@ -509,19 +509,34 @@ ssl_check_certificate (int fd, const char *host)
|
||||
vresult = SSL_get_verify_result (conn);
|
||||
if (vresult != X509_V_OK)
|
||||
{
|
||||
/* #### We might want to print saner (and translatable) error
|
||||
messages for several frequently encountered errors. The
|
||||
candidates would include
|
||||
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
|
||||
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
|
||||
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
|
||||
X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
|
||||
and possibly others. The current approach would still be
|
||||
used for the less frequent failure cases. */
|
||||
char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
|
||||
logprintf (LOG_NOTQUIET,
|
||||
_("%s: Certificate verification error for %s: %s\n"),
|
||||
severity, escnonprint (host),
|
||||
X509_verify_cert_error_string (vresult));
|
||||
_("%s: cannot verify %s's certificate, issued by `%s':\n"),
|
||||
severity, escnonprint (host), escnonprint (issuer));
|
||||
/* Try to print more user-friendly (and translated) messages for
|
||||
the frequent verification errors. */
|
||||
switch (vresult)
|
||||
{
|
||||
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
|
||||
logprintf (LOG_NOTQUIET,
|
||||
_(" Unable to locally verify the issuer's authority.\n"));
|
||||
break;
|
||||
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
|
||||
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
||||
logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n"));
|
||||
break;
|
||||
case X509_V_ERR_CERT_NOT_YET_VALID:
|
||||
logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n"));
|
||||
break;
|
||||
case X509_V_ERR_CERT_HAS_EXPIRED:
|
||||
logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n"));
|
||||
break;
|
||||
default:
|
||||
/* For the less frequent error strings, simply provide the
|
||||
OpenSSL error message. */
|
||||
logprintf (LOG_NOTQUIET, " %s\n",
|
||||
X509_verify_cert_error_string (vresult));
|
||||
}
|
||||
success = false;
|
||||
/* Fall through, so that the user is warned about *all* issues
|
||||
with the cert (important with --no-check-certificate.) */
|
||||
|
Loading…
Reference in New Issue
Block a user