mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-21 01:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

- Improved error message for not matching certificate subject name in

Browse Source 
libcurl-NSS. Originally reported at:
  https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
This commit is contained in:
Kamil Dudka 2009-08-28 12:06:51 +00:00
parent 1d92cf1dab
commit 1a255e0e28
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -6,6 +6,11 @@
Changelog
Kamil Dudka (28 Aug 2009)
- Improved error message for not matching certificate subject name in
libcurl-NSS. Originally reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
Patrick Monnerat (24 Aug 2009)
- Introduced a SYST-based test to properly set-up name format when dealing
with the OS/400 FTP server.

12
lib/nss.c
View File

@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
struct connectdata *conn = (struct connectdata *)arg;
PRErrorCode err = PR_GetError();
CERTCertificate *cert = NULL;
char *subject, *issuer;
char *subject, *subject_cn, *issuer;
if(conn->data->set.ssl.certverifyresult!=0)
return success;
@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
conn->data->set.ssl.certverifyresult=err;
cert = SSL_PeerCertificate(sock);
subject = CERT_NameToAscii(&cert->subject);
subject_cn = CERT_GetCommonName(&cert->subject);
issuer = CERT_NameToAscii(&cert->issuer);
CERT_DestroyCertificate(cert);
@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
break;
case SSL_ERROR_BAD_CERT_DOMAIN:
if(conn->data->set.ssl.verifyhost) {
failf(conn->data, "common name '%s' does not match '%s'",
subject, conn->host.dispname);
failf(conn->data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", subject_cn, conn->host.dispname);
success = SECFailure;
} else {
infof(conn->data, "warning: common name '%s' does not match '%s'\n",
subject, conn->host.dispname);
infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
"match target host name '%s'\n", subject_cn, conn->host.dispname);
}
break;
case SEC_ERROR_EXPIRED_CERTIFICATE:
@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
if(success == SECSuccess)
infof(conn->data, "SSL certificate verify ok.\n");
PR_Free(subject);
PR_Free(subject_cn);
PR_Free(issuer);
return success;