Detail validation errors for loaded-from-file certificate chains (#438)

author ghulands <ghulands@me.com>

Wed, 17 Jul 2019 01:06:33 +0000 (01:06 +0000)

committer Squid Anubis <squid-anubis@squid-cache.org>

Thu, 18 Jul 2019 22:21:48 +0000 (22:21 +0000)
author ghulands <ghulands@me.com>
Wed, 17 Jul 2019 01:06:33 +0000 (01:06 +0000)
committer Squid Anubis <squid-anubis@squid-cache.org>
Thu, 18 Jul 2019 22:21:48 +0000 (22:21 +0000)
diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc

index 2ce1b5ac57ee859959b0fd55402e10a96d0f694a..f20827ab5045d78ccce8c1f467de70eeec4edc4e 100644 (file)
--- a/src/security/KeyData.cc
+++ b/src/security/KeyData.cc
@@ -119,14 +119,15 @@ Security::KeyData::loadX509ChainFromFile()
              }
  #endif
              // checks that the chained certs are actually part of a chain for validating cert
-            if (X509_check_issued(ca, latestCert.get()) == X509_V_OK) {
+            const auto checkCode = X509_check_issued(ca, latestCert.get());
+            if (checkCode == X509_V_OK) {
                  debugs(83, DBG_PARSE_NOTE(3), "Adding issuer CA: " << nameStr);
                  // OpenSSL API requires that we order certificates such that the
                  // chain can be appended directly into the on-wire traffic.
                  latestCert = CertPointer(ca);
                  chain.emplace_front(latestCert);
              } else {
-                debugs(83, DBG_PARSE_NOTE(2), "Ignoring non-issuer CA from " << certFile << ": " << nameStr);
+                debugs(83, DBG_PARSE_NOTE(2), certFile << ": Ignoring non-issuer CA " << nameStr << ": " << X509_verify_cert_error_string(checkCode) << " (" << checkCode << ")");
              }
              OPENSSL_free(nameStr);
          }
author	ghulands <ghulands@me.com>
	Wed, 17 Jul 2019 01:06:33 +0000 (01:06 +0000)
committer	Squid Anubis <squid-anubis@squid-cache.org>
	Thu, 18 Jul 2019 22:21:48 +0000 (22:21 +0000)