From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 31 Jul 2023 14:35:18 +0000 (-0400)
Subject: point people to the configuration which controls this message
X-Git-Tag: release_3_2_4~184
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=41021bf43171ebdde4636b95717216ef5c1ed601;p=thirdparty%2Ffreeradius-server.git

point people to the configuration which controls this message
---

diff --git a/src/main/tls.c b/src/main/tls.c
index e9c8a0c374..3f3c40b1f7 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3372,8 +3372,10 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 			if (conf->disallow_untrusted || RDEBUG_ENABLED2) {
 				int  i;
 
-				WARN("Certificate chain - %i cert(s) untrusted",
+				WARN("Certificate chain - %i intermediate CA cert(s) untrusted",
 				     X509_STORE_CTX_get_num_untrusted(ctx));
+				WARN("To forbid these certificates see 'reject_unknown_intermediate_ca'");
+
 				for (i = sk_X509_num(untrusted); i > 0 ; i--) {
 					X509 *this_cert = sk_X509_value(untrusted, i - 1);