create_server_ssl_connection(): If the certificate is invalid, log the details

Sponsored by: Robert Klemme

diff --git a/ssl.c b/ssl.c
index 067e7e0..3e07665 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -813,11 +813,17 @@ extern int create_server_ssl_connection(struct client_state *csp)
 
          if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
          {
 
          if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
          {

-            log_error(LOG_LEVEL_ERROR,
-               "Server certificate verification failed: %s", err_buf);
+            char reason[INVALID_CERT_INFO_BUF_SIZE];
+

             csp->server_cert_verification_result =
                mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl));
             csp->server_cert_verification_result =
                mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl));

+            mbedtls_x509_crt_verify_info(reason, sizeof(reason), "",
+               csp->server_cert_verification_result);

 
 

+            /* Log the reason without the trailing new line */
+            log_error(LOG_LEVEL_ERROR,
+               "The X509 certificate verification failed: %N",
+               strlen(reason)-1, reason);

             ret = -1;
          }
          else
             ret = -1;
          }
          else