[Date Prev][Date Next] [Chronological] [Thread] [Top]

error reporting in tls_get_cert()

To: openldap-devel <openldap-devel@OpenLDAP.org>
Subject: error reporting in tls_get_cert()
From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
Date: Thu, 02 May 2002 22:03:54 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0+) Gecko/20020428

Hello,

I've been trying to track down the reason for SSL/TLS not working on my system from current CVS.

In the function tls_get_cert() verifies certs, but lumps all errors returned from SSL_get_verify_result() as "bad certificate".

The test in tls_get_cert() looks like...

tls_get_cert( SSL *s )
{
        /* If peer cert was bad, treat as if no cert was given */
        if (SSL_get_verify_result(s)) {
                /* If we can send an alert, do so */
...

The value returned from SSL_get_verify_result() is thrown away. But this value is important for debugging and should be reported to the user. The error messages for the return value can be found in the "openssl verify" manpage or http://www.openssl.org/docs/apps/verify.html

I know logging is in flux right now. But can this be reported to the user at some debug level? I am willing to do the patch if advised.

--Kervin

Follow-Ups:
- RE: error reporting in tls_get_cert()
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: size/time limits
Next by Date: RE: error reporting in tls_get_cert()
Index(es):
- Chronological
- Thread