lib-ssl-iostream: If certificate check fails, suggest checking ssl ca settings

author Aki Tuomi <aki.tuomi@dovecot.fi>

Tue, 24 Jul 2018 06:51:39 +0000 (09:51 +0300)

committer Ville Savolainen <ville.savolainen@dovecot.fi>

Thu, 21 Mar 2019 08:02:21 +0000 (10:02 +0200)
author Aki Tuomi <aki.tuomi@dovecot.fi>
Tue, 24 Jul 2018 06:51:39 +0000 (09:51 +0300)
committer Ville Savolainen <ville.savolainen@dovecot.fi>
Thu, 21 Mar 2019 08:02:21 +0000 (10:02 +0200)
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c

index 037fd0bae2fc303440e757f2ee5dad215be36b0a..b0393361d5199f00278bfa136992a809fcd44dfc 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -130,8 +130,11 @@ openssl_iostream_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
                 certname[sizeof(certname)-1] = '\0'; /* just in case.. */
         if (preverify_ok == 0) {
                 openssl_iostream_set_error(ssl_io, t_strdup_printf(
-                       "Received invalid SSL certificate: %s: %s",
-                       X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname));
+                       "Received invalid SSL certificate: %s: %s (check %s)",
+                       X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname,
+                       ssl_io->ctx->client_ctx ?
+                               "ssl_client_ca_* settings?" :
+                               "ssl_ca setting?"));
                 if (ssl_io->verbose_invalid_cert)
                         i_info("%s", ssl_io->last_error);
         } else if (ssl_io->verbose) {
author	Aki Tuomi <aki.tuomi@dovecot.fi>
	Tue, 24 Jul 2018 06:51:39 +0000 (09:51 +0300)
committer	Ville Savolainen <ville.savolainen@dovecot.fi>
	Thu, 21 Mar 2019 08:02:21 +0000 (10:02 +0200)