From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 22 Jan 2024 08:40:36 +0000 (+0100)
Subject: - Fix for #997: Print details for SSL certificate failure.
X-Git-Tag: release-1.19.3rc1~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f46d5945bc41ceca7687a2f34cd5bfec6832bd9;p=thirdparty%2Funbound.git

- Fix for #997: Print details for SSL certificate failure.
---

diff --git a/doc/Changelog b/doc/Changelog
index e57943241..b87d32b9d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+22 January 2024: Wouter
+	- Fix for #997: Print details for SSL certificate failure.
+
 17 January 2024: Wouter
 	- Update workflow for ports to use newer openssl on windows compile.
 	- Fix warning for windres on resource files due to redefinition.
diff --git a/util/netevent.c b/util/netevent.c
index 1750a3192..1fc8c6b86 100644
--- a/util/netevent.c
+++ b/util/netevent.c
@@ -1672,8 +1672,13 @@ ssl_handshake(struct comm_point* c)
 		} else {
 			unsigned long err = ERR_get_error();
 			if(!squelch_err_ssl_handshake(err)) {
+				long vr;
 				log_crypto_err_io_code("ssl handshake failed",
 					want, err);
+				if((vr=SSL_get_verify_result(c->ssl)) != 0)
+					log_err("ssl handshake cert error: %s",
+						X509_verify_cert_error_string(
+						vr));
 				log_addr(VERB_OPS, "ssl handshake failed",
 					&c->repinfo.remote_addr,
 					c->repinfo.remote_addrlen);