ack
On Fri, Jun 22, 2012 at 11:55 AM, Christophe Fergeau
<cfergeau@xxxxxxxxxx> wrote:
> This should make SSL connection failures easier to diagnose.
> ---
> common/ssl_verify.c | 41 ++++++++++++++++++++++++++++++++---------
> 1 file changed, 32 insertions(+), 9 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 3667b2e..56b25ac 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -413,6 +413,7 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
> SSL *ssl;
> X509* cert;
> char buf[256];
> + unsigned int failed_verifications;
>
> ssl = (SSL*)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
> v = (SpiceOpenSSLVerify*)SSL_get_app_data(ssl);
> @@ -444,20 +445,42 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx)
> return 0;
> }
>
> - if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY &&
> - verify_pubkey(cert, v->pubkey, v->pubkey_size))
> - return 1;
> + failed_verifications = 0;
> + if (v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY)
> + if (verify_pubkey(cert, v->pubkey, v->pubkey_size))
> + return 1;
> + else
> + failed_verifications |= SPICE_SSL_VERIFY_OP_PUBKEY;
>
> if (!v->all_preverify_ok || !preverify_ok)
> return 0;
>
> - if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME &&
> - verify_hostname(cert, v->hostname))
> - return 1;
> + if (v->verifyop & SPICE_SSL_VERIFY_OP_HOSTNAME)
> + if (verify_hostname(cert, v->hostname))
> + return 1;
> + else
> + failed_verifications |= SPICE_SSL_VERIFY_OP_HOSTNAME;
>
> - if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT &&
> - verify_subject(cert, v))
> - return 1;
> +
> + if (v->verifyop & SPICE_SSL_VERIFY_OP_SUBJECT)
> + if (verify_subject(cert, v))
> + return 1;
> + else
> + failed_verifications |= SPICE_SSL_VERIFY_OP_SUBJECT;
> +
> + /* If we reach this code, this means all the tests failed, thus
> + * verification failed
> + */
> + if (failed_verifications & SPICE_SSL_VERIFY_OP_PUBKEY)
> + spice_warning("ssl: pubkey verification failed");
> +
> + if (failed_verifications & SPICE_SSL_VERIFY_OP_HOSTNAME)
> + spice_warning("ssl: hostname '%s' verification failed", v->hostname);
> +
> + if (failed_verifications & SPICE_SSL_VERIFY_OP_SUBJECT)
> + spice_warning("ssl: subject '%s' verification failed", v->subject);
> +
> + spice_warning("ssl: verification failed");
>
> return 0;
> }
> --
> 1.7.10.2
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
Marc-André Lureau
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel