isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Display the correct error message if X509_verify_cert() fails.

Browse Source 
We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string()
instead of the generic OpenSSL error functions.
This commit is contained in:
Todd C. Miller
2021-07-27 14:49:28 -06:00
parent d109cd61d9
commit aee82efe45
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
logsrvd/tls_init.c
View File

@@ -90,7 +90,8 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
} }
if (X509_verify_cert(store_ctx) <= 0) { if (X509_verify_cert(store_ctx) <= 0) {
errstr = ERR_reason_error_string(ERR_get_error()); errstr =
X509_verify_cert_error_string(X509_STORE_CTX_get_error(store_ctx));
sudo_warnx("X509_verify_cert: %s", errstr); sudo_warnx("X509_verify_cert: %s", errstr);
goto done; goto done;
} }