Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <
20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
#include "openssl_compat.h"
#include "win32.h"
#include "xkey_common.h"
+#include "crypto_openssl.h"
#ifndef HAVE_XKEY_PROVIDER
if (SSL_CTX_use_certificate(ssl_ctx, cert)
&& SSL_CTX_use_PrivateKey(ssl_ctx, privkey))
{
+ crypto_print_openssl_errors(M_WARN);
ret = 1;
}
if (!SSL_CTX_use_cert_and_key(ctx->ctx, x509, pkey, NULL, 0))
{
- msg(M_WARN, "PKCS#11: Failed to set cert and private key for OpenSSL");
+ crypto_print_openssl_errors(M_WARN);
+ msg(M_FATAL, "PKCS#11: Failed to set cert and private key for OpenSSL");
goto cleanup;
}
ret = 1;
if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509))
{
- msg(M_WARN, "PKCS#11: Cannot set certificate for openssl");
+ crypto_print_openssl_errors(M_WARN);
+ msg(M_FATAL, "PKCS#11: Cannot set certificate for openssl");
goto cleanup;
}
ret = 0;
/* Load Certificate */
if (!SSL_CTX_use_certificate(ctx->ctx, cert))
{
+ crypto_print_openssl_errors(M_WARN);
crypto_msg(M_FATAL, "Cannot use certificate");
}
end:
if (!ret)
{
+ crypto_print_openssl_errors(M_WARN);
if (cert_file_inline)
{
crypto_msg(M_FATAL, "Cannot load inline certificate file");
return NULL;
}
+/* replacement for crypto_print_openssl_errors() */
+void
+crypto_print_openssl_errors(const unsigned int flags)
+{
+ unsigned long e;
+ while ((e = ERR_get_error()))
+ {
+ msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
+ }
+}
+
/* tls_libctx is defined in ssl_openssl.c which we do not want to compile in */
OSSL_LIB_CTX *tls_libctx;
struct management *management; /* global */
+/* replacement for crypto_print_openssl_errors() */
+void
+crypto_print_openssl_errors(const unsigned int flags)
+{
+ unsigned long e;
+ while ((e = ERR_get_error()))
+ {
+ msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
+ }
+}
+
/* stubs for some unused functions instead of pulling in too many dependencies */
int
parse_line(const char *line, char **p, const int n, const char *file,