From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 8 Nov 2016 06:34:59 +0000 (+1300)
Subject: Improve debugs warnings when loading signing certs fails
X-Git-Tag: SQUID_4_0_17~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=599111be065e05b61f7d5e7a6888362862f26f2b;p=thirdparty%2Fsquid.git

Improve debugs warnings when loading signing certs fails
---

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 9c4e0fd3ef..6c4495cde6 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -1372,10 +1372,17 @@ void Ssl::readCertChainAndPrivateKeyFromFiles(Security::CertPointer & cert, EVP_
     pem_password_cb *cb = ::Config.Program.ssl_password ? &ssl_ask_password_cb : NULL;
     pkey.resetWithoutLocking(readSslPrivateKey(keyFilename, cb));
     cert.resetWithoutLocking(readSslX509CertificatesChain(certFilename, chain.get()));
-    if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
-        pkey.reset();
-        cert.reset();
-    }
+    if (!cert) {
+        debugs(83, DBG_IMPORTANT, "WARNING: missing cert in '" << certFilename << "'");
+    } else if (!pkey) {
+        debugs(83, DBG_IMPORTANT, "WARNING: missing private key in '" << keyFilename << "'");
+    } else if (!X509_check_private_key(cert.get(), pkey.get())) {
+        debugs(83, DBG_IMPORTANT, "WARNING: X509_check_private_key() failed to verify signing cert");
+    } else
+        return; // everything is okay
+
+    pkey.reset();
+    cert.reset();
 }
 
 bool Ssl::generateUntrustedCert(Security::CertPointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, Security::CertPointer const  &cert, EVP_PKEY_Pointer const & pkey)