gnutls/wolfssl: improve error message when certificate fails

Give more detailed reasons for certificate failures where available in
gnutls and wolfssi to allow user to understand the cause of the failure.

Closes #14501

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index fc72ea269847f337369ec7cfb229534fad18db09..03d6fcc038aac385bc13d895c86e8a1075b12fae 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -340,7 +340,7 @@ static CURLcode handshake(struct Curl_cfilter *cf,
       if(!strerr)
         strerr = gnutls_strerror(rc);
 
-      failf(data, "gnutls_handshake() failed: %s", strerr);
+      failf(data, "GnuTLS, handshake failed: %s", strerr);
       return CURLE_SSL_CONNECT_ERROR;
     }
 
@@ -1295,9 +1295,18 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
     /* verify_status is a bitmask of gnutls_certificate_status bits */
     if(verify_status & GNUTLS_CERT_INVALID) {
       if(config->verifypeer) {
-        failf(data, "server certificate verification failed. CAfile: %s "
-              "CRLfile: %s", config->CAfile ? config->CAfile:
-              "none",
+        const char *cause = "certificate error, no details available";
+        if(verify_status & GNUTLS_CERT_EXPIRED)
+          cause = "certificate has expired";
+        else if(verify_status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+          cause = "certificate signer not trusted";
+        else if(verify_status & GNUTLS_CERT_INSECURE_ALGORITHM)
+          cause = "certificate uses insecure algorithm";
+        else if(verify_status & GNUTLS_CERT_INVALID_OCSP_STATUS)
+          cause = "attached OCSP status response is invalid";
+        failf(data, "server verification failed: %s. (CAfile: %s "
+              "CRLfile: %s)", cause,
+              config->CAfile ? config->CAfile: "none",
               ssl_config->primary.CRLfile ?
               ssl_config->primary.CRLfile : "none");
         return CURLE_PEER_FAILED_VERIFICATION;

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 1db274b8c3f116e2d4d2d0125f474718b2e3fafe..0396bb940fd9375159813c9927ff5ba142b0c124 100644 (file)
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -1306,6 +1306,14 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
                     "continuing anyway");
       }
     }
+    else if(ASN_AFTER_DATE_E == detail) {
+      failf(data, "server verification failed: certificate has expired.");
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else if(ASN_BEFORE_DATE_E == detail) {
+      failf(data, "server verification failed: certificate not valid yet.");
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
 #ifdef USE_ECH
     else if(-1 == detail) {
       /* try access a retry_config ECHConfigList for tracing */