Browse code
tls_ctx_load_ca: Improve certificate error messages
If a CA certificate file includes intermediate certificates, and any
of them fail to verify, the current code will file with "Cannot load
CA certificate file". Instead, generate a more specific error message
identifying the specific sub-certificate(s) which did not validate.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <CAK6ywbLVtSgRZEt4N+02fz+vQ0GNp==5KdsbqWtZ+fgUzrZq+g@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/7837
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Klee Dienes authored on 2013/07/07 06:00:02Showing 1 changed files
| ... | ... |
@@ -743,7 +743,7 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
| 743 | 743 |
X509_STORE *store = NULL; |
| 744 | 744 |
X509_NAME *xn = NULL; |
| 745 | 745 |
BIO *in = NULL; |
| 746 |
- int i, added = 0; |
|
| 746 |
+ int i, added = 0, prev = 0; |
|
| 747 | 747 |
|
| 748 | 748 |
ASSERT(NULL != ctx); |
| 749 | 749 |
|
| ... | ... |
@@ -770,6 +770,11 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
| 770 | 770 |
if (info->crl) |
| 771 | 771 |
X509_STORE_add_crl (store, info->crl); |
| 772 | 772 |
|
| 773 |
+ if (tls_server && !info->x509) |
|
| 774 |
+ {
|
|
| 775 |
+ msg (M_SSLERR, "X509 name was missing in TLS mode"); |
|
| 776 |
+ } |
|
| 777 |
+ |
|
| 773 | 778 |
if (info->x509) |
| 774 | 779 |
{
|
| 775 | 780 |
X509_STORE_add_cert (store, info->x509); |
| ... | ... |
@@ -799,6 +804,15 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
| 799 | 799 |
sk_X509_NAME_push (cert_names, xn); |
| 800 | 800 |
} |
| 801 | 801 |
} |
| 802 |
+ |
|
| 803 |
+ if (tls_server) {
|
|
| 804 |
+ int cnum = sk_X509_NAME_num (cert_names); |
|
| 805 |
+ if (cnum != (prev + 1)) {
|
|
| 806 |
+ msg (M_WARN, "Cannot load CA certificate file %s (entry %d did not validate)", np(ca_file), added); |
|
| 807 |
+ } |
|
| 808 |
+ prev = cnum; |
|
| 809 |
+ } |
|
| 810 |
+ |
|
| 802 | 811 |
} |
| 803 | 812 |
sk_X509_INFO_pop_free (info_stack, X509_INFO_free); |
| 804 | 813 |
} |
| ... | ... |
@@ -806,8 +820,15 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
| 806 | 806 |
if (tls_server) |
| 807 | 807 |
SSL_CTX_set_client_CA_list (ctx->ctx, cert_names); |
| 808 | 808 |
|
| 809 |
- if (!added || (tls_server && sk_X509_NAME_num (cert_names) != added)) |
|
| 810 |
- msg (M_SSLERR, "Cannot load CA certificate file %s", np(ca_file)); |
|
| 809 |
+ if (!added) |
|
| 810 |
+ msg (M_SSLERR, "Cannot load CA certificate file %s (no entries were read)", np(ca_file)); |
|
| 811 |
+ |
|
| 812 |
+ if (tls_server) {
|
|
| 813 |
+ int cnum = sk_X509_NAME_num (cert_names); |
|
| 814 |
+ if (cnum != added) |
|
| 815 |
+ msg (M_SSLERR, "Cannot load CA certificate file %s (only %d of %d entries were valid X509 names)", np(ca_file), cnum, added); |
|
| 816 |
+ } |
|
| 817 |
+ |
|
| 811 | 818 |
if (in) |
| 812 | 819 |
BIO_free (in); |
| 813 | 820 |
} |