Display the correct error message if X509_verify_cert() fails.

We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string() instead of the generic OpenSSL error functions.
2021-07-27 14:49:28 -06:00
parent d109cd61d9
commit aee82efe45
1 changed files with 2 additions and 1 deletions
--- a/logsrvd/tls_init.c
+++ b/logsrvd/tls_init.c
@@ -90,7 +90,8 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
    }

    if (X509_verify_cert(store_ctx) <= 0) {
-	errstr = ERR_reason_error_string(ERR_get_error());
+	errstr =
+	    X509_verify_cert_error_string(X509_STORE_CTX_get_error(store_ctx));
 	sudo_warnx("X509_verify_cert: %s", errstr);
        goto done;
    }