X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=ssl.c;h=732cd25bfc7763186407cc72cc01bdc3a52eb976;hp=ccc1b105547b23ddcacb2774917dd2fdc7fc26ce;hb=01b68ef7c45752c231b26ed531e01bbf8dc1bc8b;hpb=500d7c85445b001256f29c0cff5c453c86afb81c

diff --git a/ssl.c b/ssl.c
index ccc1b105..732cd25b 100644
--- a/ssl.c
+++ b/ssl.c
@@ -113,7 +113,6 @@ static int file_exists(const char *path);
 static int host_to_hash(struct client_state *csp);
 static int ssl_verify_callback(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags);
 static void free_certificate_chain(struct client_state *csp);
-static unsigned int get_certificate_mutex_id(struct client_state *csp);
 static unsigned long  get_certificate_serial(struct client_state *csp);
 static void free_client_ssl_structures(struct client_state *csp);
 static void free_server_ssl_structures(struct client_state *csp);
@@ -437,19 +436,18 @@ extern int create_client_ssl_connection(struct client_state *csp)
     * Generating certificate for requested host. Mutex to prevent
     * certificate and key inconsistence must be locked.
     */
-   unsigned int cert_mutex_id = get_certificate_mutex_id(csp);
-   privoxy_mutex_lock(&(certificates_mutexes[cert_mutex_id]));
+   privoxy_mutex_lock(&certificate_mutex);
 
    ret = generate_webpage_certificate(csp);
    if (ret < 0)
    {
       log_error(LOG_LEVEL_ERROR,
          "Generate_webpage_certificate failed: %d", ret);
-      privoxy_mutex_unlock(&(certificates_mutexes[cert_mutex_id]));
+      privoxy_mutex_unlock(&certificate_mutex);
       ret = -1;
       goto exit;
    }
-   privoxy_mutex_unlock(&(certificates_mutexes[cert_mutex_id]));
+   privoxy_mutex_unlock(&certificate_mutex);
 
    /*
     * Seed the RNG
@@ -813,11 +811,17 @@ extern int create_server_ssl_connection(struct client_state *csp)
 
          if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
          {
-            log_error(LOG_LEVEL_ERROR,
-               "Server certificate verification failed: %s", err_buf);
+            char reason[INVALID_CERT_INFO_BUF_SIZE];
+
             csp->server_cert_verification_result =
                mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl));
+            mbedtls_x509_crt_verify_info(reason, sizeof(reason), "",
+               csp->server_cert_verification_result);
 
+            /* Log the reason without the trailing new line */
+            log_error(LOG_LEVEL_ERROR,
+               "X509 certificate verification for %s failed: %N",
+               csp->http->hostport, strlen(reason)-1, reason);
             ret = -1;
          }
          else
@@ -907,7 +911,7 @@ static void free_server_ssl_structures(struct client_state *csp)
    * function, we change fd to -1, which is the same what does
    * rest of mbedtls_net_free function.
    */
-   csp->mbedtls_client_attr.socket_fd.fd = -1;
+   csp->mbedtls_server_attr.socket_fd.fd = -1;
 
    mbedtls_x509_crt_free(&(csp->mbedtls_server_attr.ca_cert));
    mbedtls_ssl_free(&(csp->mbedtls_server_attr.ssl));
@@ -1621,29 +1625,6 @@ static char *make_certs_path(const char *conf_dir, const char *file_name,
 }
 
 
-/*********************************************************************
- *
- * Function    :  get_certificate_mutex_id
- *
- * Description :  Computes mutex id from host name hash. This hash must
- *                be already saved in csp structure
- *
- * Parameters  :
- *          1  :  csp = Current client state (buffers, headers, etc...)
- *
- * Returns     :  Mutex id for given host name
- *
- *********************************************************************/
-static unsigned int get_certificate_mutex_id(struct client_state *csp) {
-#ifdef LIMIT_MUTEX_NUMBER
-   return (unsigned int)(csp->http->hash_of_host[0] % 32);
-#else
-   return (unsigned int)(csp->http->hash_of_host[1]
-      + 256 * (int)csp->http->hash_of_host[0]);
-#endif /* LIMIT_MUTEX_NUMBER */
-}
-
-
 /*********************************************************************
  *
  * Function    :  get_certificate_serial
@@ -1658,7 +1639,8 @@ static unsigned int get_certificate_mutex_id(struct client_state *csp) {
  * Returns     :  Serial number for new certificate
  *
  *********************************************************************/
-static unsigned long  get_certificate_serial(struct client_state *csp) {
+static unsigned long get_certificate_serial(struct client_state *csp)
+{
    unsigned long exp    = 1;
    unsigned long serial = 0;
 
@@ -1707,7 +1689,7 @@ extern void ssl_send_certificate_error(struct client_state *csp)
       "HTTP/1.1 200 OK\r\n"
       "Content-Type: text/html\r\n"
       "Connection: close\r\n\r\n"
-      "<html><body><h1>Invalid server certificate</h1><p>Reason: ";
+      "<html><body><h1>Server certificate verification failed</h1><p>Reason: ";
    const char message_end[] = "</body></html>\r\n\r\n";
    char reason[INVALID_CERT_INFO_BUF_SIZE];
    memset(reason, 0, sizeof(reason));
@@ -1782,11 +1764,6 @@ extern void ssl_send_certificate_error(struct client_state *csp)
     */
    ssl_send_data(&(csp->mbedtls_client_attr.ssl),
       (const unsigned char *)message, strlen(message));
-   /*
-    * Waiting before closing connection. Some browsers don't show received
-    * message if there isn't this delay.
-    */
-   sleep(1);
 
    free_certificate_chain(csp);
 }
@@ -1938,9 +1915,7 @@ static int host_to_hash(struct client_state *csp)
    int ret = 0;
 
 #if !defined(MBEDTLS_MD5_C)
-   log_error(LOG_LEVEL_ERROR, "MBEDTLS_MD5_C is not defined. Can't create"
-      "MD5 hash for certificate and key name.");
-   return -1;
+#error mbedTLS needs to be compiled with md5 support
 #else
    memset(csp->http->hash_of_host, 0, sizeof(csp->http->hash_of_host));
    mbedtls_md5((unsigned char *)csp->http->host, strlen(csp->http->host),