Fossil

Check-in [6b8b6d2e]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:More descriptive SSL error messages.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | ssl_platform_fixes
Files: files | file ages | folders
SHA1: 6b8b6d2e2395857aabf586024c6f4024faef8beb
User & Date: bcsmith 2010-10-03 19:24:57
Context
2010-10-22
01:06
Merge in some ui enhancements from the ssl_platform_fixes branch. Leaf check-in: 3c19422b user: bcsmith tags: ui-improvements
2010-10-03
19:24
More descriptive SSL error messages. Closed-Leaf check-in: 6b8b6d2e user: bcsmith tags: ssl_platform_fixes
19:01
For "fossil rebuild" increment the progress counter after each artifact is processed, rather than waiting for its delta children to be processed, in order to give a more uniform progress indication. Possibly related to ticket [2a1e8e3c4b0b39e08fdde]. check-in: ae000c23 user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to src/http_ssl.c.

   126    126   **    g.urlPort       TCP/IP port to use.  Ex: 80
   127    127   **
   128    128   ** Return the number of errors.
   129    129   */
   130    130   int ssl_open(void){
   131    131     X509 *cert;
   132    132     int hasSavedCertificate = 0;
   133         -char *connStr ;
          133  +  char *connStr;
          134  +  int vresult = 0;
   134    135     ssl_global_init();
   135    136   
   136    137     /* Get certificate for current server from global config and
   137    138      * (if we have it in config) add it to certificate store.
   138    139      */
   139    140     cert = ssl_get_certificate();
   140    141     if ( cert!=NULL ){
................................................................................
   174    175   
   175    176     if ( cert==NULL ){
   176    177       ssl_set_errmsg("No SSL certificate was presented by the peer");
   177    178       ssl_close();
   178    179       return 1;
   179    180     }
   180    181   
   181         -  if( SSL_get_verify_result(ssl) != X509_V_OK ){
          182  +  if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){
   182    183       char *desc, *prompt;
   183    184       char *warning = "";
          185  +    char *ssl_verify_error = "";
   184    186       Blob ans;
   185    187       BIO *mem;
   186    188       
   187    189       mem = BIO_new(BIO_s_mem());
   188    190       X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
   189    191       BIO_puts(mem, "\n\nIssued By:\n\n");
   190    192       X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
................................................................................
   191    193       BIO_write(mem, "", 1); // null-terminate mem buffer
   192    194       BIO_get_mem_data(mem, &desc);
   193    195       
   194    196       if( hasSavedCertificate ){
   195    197         warning = "WARNING: Certificate doesn't match the "
   196    198                   "saved certificate for this host!";
   197    199       }
   198         -    prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n"
   199         -                     "Accept certificate [a=always/y/N]? ", desc, warning);
          200  +    switch(vresult) {
          201  +      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
          202  +        ssl_verify_error = "SSL: unable to get issuer certificate.";
          203  +        break;
          204  +
          205  +      case X509_V_ERR_UNABLE_TO_GET_CRL:
          206  +        ssl_verify_error = "SSL: unable to get certificate CRL.";
          207  +        break;
          208  +
          209  +      case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
          210  +        ssl_verify_error = "SSL: unable to decrypt certificate’s signature.";
          211  +        break;
          212  +
          213  +      case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
          214  +        ssl_verify_error = "SSL: unable to decrypt CRL’s signature.";
          215  +        break;
          216  +
          217  +      case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
          218  +        ssl_verify_error = "SSL: unable to decode issuer public key.";
          219  +        break;
          220  +
          221  +      case X509_V_ERR_CERT_SIGNATURE_FAILURE:
          222  +        ssl_verify_error = "SSL: certificate signature failure.";
          223  +        break;
          224  +
          225  +      case X509_V_ERR_CRL_SIGNATURE_FAILURE:
          226  +        ssl_verify_error = "SSL: CRL signature failure.";
          227  +        break;
          228  +
          229  +      case X509_V_ERR_CERT_NOT_YET_VALID:
          230  +        ssl_verify_error = "SSL: certificate is not yet valid.";
          231  +        break;
          232  +
          233  +      case X509_V_ERR_CERT_HAS_EXPIRED:
          234  +        ssl_verify_error = "SSL: certificate has expired.";
          235  +        break;
          236  +
          237  +      case X509_V_ERR_CRL_NOT_YET_VALID:
          238  +        ssl_verify_error = "SSL: CRL is not yet valid.";
          239  +        break;
          240  +
          241  +      case X509_V_ERR_CRL_HAS_EXPIRED:
          242  +        ssl_verify_error = "SSL: CRL has expired.";
          243  +        break;
          244  +
          245  +      case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
          246  +        ssl_verify_error = "SSL: format error in certificate’s notBefore field.";
          247  +        break;
          248  +
          249  +      case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
          250  +        ssl_verify_error = "SSL: format error in certificate’s notAfter field.";
          251  +        break;
          252  +
          253  +      case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
          254  +        ssl_verify_error = "SSL: format error in CRL’s lastUpdate field.";
          255  +        break;
          256  +
          257  +      case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
          258  +        ssl_verify_error = "SSL: format error in CRL’s nextUpdate field.";
          259  +        break;
          260  +
          261  +      case X509_V_ERR_OUT_OF_MEM:
          262  +        ssl_verify_error = "SSL: out of memory.";
          263  +        break;
          264  +
          265  +      case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
          266  +        ssl_verify_error = "SSL: self signed certificate.";
          267  +        break;
          268  +
          269  +      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
          270  +        ssl_verify_error = "SSL: self signed certificate in certificate chain.";
          271  +        break;
          272  +
          273  +      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
          274  +        ssl_verify_error = "SSL: unable to get local issuer certificate.";
          275  +        break;
          276  +
          277  +      case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
          278  +        ssl_verify_error = "SSL: unable to verify the first certificate.";
          279  +        break;
          280  +
          281  +      case X509_V_ERR_CERT_CHAIN_TOO_LONG:
          282  +        ssl_verify_error = "SSL: certificate chain too long.";
          283  +        break;
          284  +
          285  +      case X509_V_ERR_CERT_REVOKED:
          286  +        ssl_verify_error = "SSL: certificate revoked.";
          287  +        break;
          288  +
          289  +      case X509_V_ERR_INVALID_CA:
          290  +        ssl_verify_error = "SSL: invalid CA certificate.";
          291  +        break;
          292  +
          293  +      case X509_V_ERR_PATH_LENGTH_EXCEEDED:
          294  +        ssl_verify_error = "SSL: path length constraint exceeded.";
          295  +        break;
          296  +
          297  +      case X509_V_ERR_INVALID_PURPOSE:
          298  +        ssl_verify_error = "SSL: unsupported certificate purpose.";
          299  +        break;
          300  +
          301  +      case X509_V_ERR_CERT_UNTRUSTED:
          302  +        ssl_verify_error = "SSL: certificate not trusted.";
          303  +        break;
          304  +
          305  +      case X509_V_ERR_CERT_REJECTED:
          306  +        ssl_verify_error = "SSL: certificate rejected.";
          307  +        break;
          308  +
          309  +      case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
          310  +        ssl_verify_error = "SSL: subject issuer mismatch.";
          311  +        break;
          312  +
          313  +      case X509_V_ERR_AKID_SKID_MISMATCH:
          314  +        ssl_verify_error = "SSL: authority and subject key identifier mismatch.";
          315  +        break;
          316  +
          317  +      case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
          318  +        ssl_verify_error = "SSL: authority and issuer serial number mismatch.";
          319  +        break;
          320  +
          321  +      case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
          322  +        ssl_verify_error = "SSL: key usage does not include certificate signing.";
          323  +        break;
          324  +      default:
          325  +        ssl_verify_error = "SSL: Unknown error.";
          326  +    };
          327  +    prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n"
          328  +                     "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult);
   200    329       BIO_free(mem);
   201    330   
   202    331       prompt_user(prompt, &ans);
   203    332       free(prompt);
   204    333       if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) {
   205    334         X509_free(cert);
   206    335         ssl_set_errmsg("SSL certificate declined");