X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=jcc.c;h=0ca5b5d45fc81d6cdaca4621a42af0dec9e12307;hp=e18132d49aa195cec2e804f34e9e6e681a8c4d69;hb=836a87456a11821a642b28563de27c2d202fb60b;hpb=15e6416d9fee24c73f17413a937dd1fb58240b94

diff --git a/jcc.c b/jcc.c
index e18132d4..0ca5b5d4 100644
--- a/jcc.c
+++ b/jcc.c
@@ -5,7 +5,7 @@
  * Purpose     :  Main file.  Contains main() method, main loop, and
  *                the main connection-handling function.
  *
- * Copyright   :  Written by and Copyright (C) 2001-2019 the
+ * Copyright   :  Written by and Copyright (C) 2001-2020 the
  *                Privoxy team. https://www.privoxy.org/
  *
  *                Based on the Internet Junkbuster originally written
@@ -3948,21 +3948,34 @@ static void chat(struct client_state *csp)
              * with destination server
              */
             int ret = create_server_ssl_connection(csp);
-            /*
-             * If TLS/SSL connection wasn't created and invalid certificate
-             * wasn't detected, we can interrupt this function. Otherwise, we
-             * must inform client about invalid server certificate.
-             */
-            if (ret != 0
-               && (csp->server_cert_verification_result == SSL_CERT_NOT_VERIFIED
-                  || csp->server_cert_verification_result == SSL_CERT_VALID))
+            if (ret != 0)
             {
-               rsp = error_response(csp, "connect-failed");
-               if (rsp)
+               if (csp->server_cert_verification_result != SSL_CERT_VALID &&
+                   csp->server_cert_verification_result != SSL_CERT_NOT_VERIFIED)
                {
-                  send_crunch_response(csp, rsp);
+                  /*
+                   * If the server certificate is invalid, we must inform
+                   * the client and then close connection to the client.
+                   */
+                  ssl_send_certificate_error(csp);
+                  close_client_and_server_ssl_connections(csp);
+                  return;
+               }
+               if (csp->server_cert_verification_result == SSL_CERT_NOT_VERIFIED
+                || csp->server_cert_verification_result == SSL_CERT_VALID)
+               {
+                  /*
+                   * The TLS/SSL connection wasn't created but an invalid
+                   * certificate wasn't detected. Report it as connection
+                   * failure.
+                   */
+                  rsp = error_response(csp, "connect-failed");
+                  if (rsp)
+                  {
+                     send_crunch_response(csp, rsp);
+                  }
+                  return;
                }
-               return;
             }
          }
       }/* -END- if (http->ssl) */
@@ -4038,7 +4051,7 @@ static void chat(struct client_state *csp)
             rsp = error_response(csp, "connect-failed");
             if (rsp)
             {
-               send_crunch_response(csp, rsp); /* XXX: use ssl*/
+               send_crunch_response(csp, rsp);
             }
             close_client_and_server_ssl_connections(csp);
             return;