openssl: improved error detection/reporting

... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
author: Daniel Stenberg <daniel@haxx.se> 2016-01-14 21:25:30 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2016-01-14 21:25:30 +0100
commit: 35083ca60ed035a4a097c003a339d92b69f3d87c (patch)
tree: 7c4f10ff458056e35526a3f065b12224067b06b0
parent: fdcc4d6daa0a28c530577a0e83066b110e390428 (diff)
download: curl-35083ca60ed035a4a097c003a339d92b69f3d87c.tar.gz
1 files changed, 18 insertions, 25 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 204d6574b..e5589e325 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2104,27 +2104,22 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
                                     least 256 bytes long. */
       CURLcode result;
       long lerr;
+      int lib;
+      int reason;
 
-      connssl->connecting_state = ssl_connect_2; /* the connection failed,
-                                                    we're not waiting for
-                                                    anything else. */
-
-      errdetail = ERR_get_error(); /* Gets the earliest error code from the
-                                      thread's error queue and removes the
-                                      entry. */
-
-      switch(errdetail) {
-      case 0x1407E086:
-        /* 1407E086:
-           SSL routines:
-           SSL2_SET_CERTIFICATE:
-           certificate verify failed */
-        /* fall-through */
-      case 0x14090086:
-        /* 14090086:
-           SSL routines:
-           SSL3_GET_SERVER_CERTIFICATE:
-           certificate verify failed */
+      /* the connection failed, we're not waiting for anything else. */
+      connssl->connecting_state = ssl_connect_2;
+
+      /* Get the earliest error code from the thread's error queue and removes
+         the entry. */
+      errdetail = ERR_get_error();
+
+      /* Extract which lib and reason */
+      lib = ERR_GET_LIB(errdetail);
+      reason = ERR_GET_REASON(errdetail);
+
+      if((lib == ERR_LIB_SSL) &&
+         (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
         result = CURLE_SSL_CACERT;
 
         lerr = SSL_get_verify_result(connssl->handle);
@@ -2136,13 +2131,11 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
         else
           /* strcpy() is fine here as long as the string fits within
              error_buffer */
-          strcpy(error_buffer,
-                 "SSL certificate problem, check your CA cert");
-        break;
-      default:
+          strcpy(error_buffer, "SSL certificate verification failed");
+      }
+      else {
         result = CURLE_SSL_CONNECT_ERROR;
         SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
-        break;
       }
 
       /* detail is already set to the SSL error above */
author	Daniel Stenberg <daniel@haxx.se>	2016-01-14 21:25:30 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2016-01-14 21:25:30 +0100
commit	35083ca60ed035a4a097c003a339d92b69f3d87c (patch)
tree	7c4f10ff458056e35526a3f065b12224067b06b0
parent	fdcc4d6daa0a28c530577a0e83066b110e390428 (diff)
download	curl-35083ca60ed035a4a097c003a339d92b69f3d87c.tar.gz