From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 23 Feb 2020 12:00:04 +0000 (+0100)
Subject: create_server_ssl_connection(): If the certificate is invalid, log the details
X-Git-Tag: v_3_0_29~487
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/faq/@default-cgi@/user-manual/static/@url@?a=commitdiff_plain;h=7966f84bf541a710cf701769eaf7df119a403c8c;p=privoxy.git

create_server_ssl_connection(): If the certificate is invalid, log the details

Sponsored by: Robert Klemme
---

diff --git a/ssl.c b/ssl.c
index 067e7e0f..3e07665c 100644
--- a/ssl.c
+++ b/ssl.c
@@ -813,11 +813,17 @@ extern int create_server_ssl_connection(struct client_state *csp)
 
          if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
          {
-            log_error(LOG_LEVEL_ERROR,
-               "Server certificate verification failed: %s", err_buf);
+            char reason[INVALID_CERT_INFO_BUF_SIZE];
+
             csp->server_cert_verification_result =
                mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl));
+            mbedtls_x509_crt_verify_info(reason, sizeof(reason), "",
+               csp->server_cert_verification_result);
 
+            /* Log the reason without the trailing new line */
+            log_error(LOG_LEVEL_ERROR,
+               "The X509 certificate verification failed: %N",
+               strlen(reason)-1, reason);
             ret = -1;
          }
          else