From 7966f84bf541a710cf701769eaf7df119a403c8c Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 23 Feb 2020 13:00:04 +0100 Subject: [PATCH] create_server_ssl_connection(): If the certificate is invalid, log the details Sponsored by: Robert Klemme --- ssl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ssl.c b/ssl.c index 067e7e0f..3e07665c 100644 --- a/ssl.c +++ b/ssl.c @@ -813,11 +813,17 @@ extern int create_server_ssl_connection(struct client_state *csp) if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { - log_error(LOG_LEVEL_ERROR, - "Server certificate verification failed: %s", err_buf); + char reason[INVALID_CERT_INFO_BUF_SIZE]; + csp->server_cert_verification_result = mbedtls_ssl_get_verify_result(&(csp->mbedtls_server_attr.ssl)); + mbedtls_x509_crt_verify_info(reason, sizeof(reason), "", + csp->server_cert_verification_result); + /* Log the reason without the trailing new line */ + log_error(LOG_LEVEL_ERROR, + "The X509 certificate verification failed: %N", + strlen(reason)-1, reason); ret = -1; } else -- 2.39.2