From: Stefan Eissing <stefan@eissing.org>
Date: Mon, 12 Aug 2024 10:21:38 +0000 (+0200)
Subject: gnutls/wolfssl: improve error message when certificate fails
X-Git-Tag: curl-8_10_0~269
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=623b87750494fb1843cbb0f3599840a2215b3ae8;p=thirdparty%2Fcurl.git

gnutls/wolfssl: improve error message when certificate fails

Give more detailed reasons for certificate failures where available in
gnutls and wolfssi to allow user to understand the cause of the failure.

Closes #14501
---

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index fc72ea2698..03d6fcc038 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -340,7 +340,7 @@ static CURLcode handshake(struct Curl_cfilter *cf,
       if(!strerr)
         strerr = gnutls_strerror(rc);
 
-      failf(data, "gnutls_handshake() failed: %s", strerr);
+      failf(data, "GnuTLS, handshake failed: %s", strerr);
       return CURLE_SSL_CONNECT_ERROR;
     }
 
@@ -1295,9 +1295,18 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
     /* verify_status is a bitmask of gnutls_certificate_status bits */
     if(verify_status & GNUTLS_CERT_INVALID) {
       if(config->verifypeer) {
-        failf(data, "server certificate verification failed. CAfile: %s "
-              "CRLfile: %s", config->CAfile ? config->CAfile:
-              "none",
+        const char *cause = "certificate error, no details available";
+        if(verify_status & GNUTLS_CERT_EXPIRED)
+          cause = "certificate has expired";
+        else if(verify_status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+          cause = "certificate signer not trusted";
+        else if(verify_status & GNUTLS_CERT_INSECURE_ALGORITHM)
+          cause = "certificate uses insecure algorithm";
+        else if(verify_status & GNUTLS_CERT_INVALID_OCSP_STATUS)
+          cause = "attached OCSP status response is invalid";
+        failf(data, "server verification failed: %s. (CAfile: %s "
+              "CRLfile: %s)", cause,
+              config->CAfile ? config->CAfile: "none",
               ssl_config->primary.CRLfile ?
               ssl_config->primary.CRLfile : "none");
         return CURLE_PEER_FAILED_VERIFICATION;
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 1db274b8c3..0396bb940f 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -1306,6 +1306,14 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
                     "continuing anyway");
       }
     }
+    else if(ASN_AFTER_DATE_E == detail) {
+      failf(data, "server verification failed: certificate has expired.");
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
+    else if(ASN_BEFORE_DATE_E == detail) {
+      failf(data, "server verification failed: certificate not valid yet.");
+      return CURLE_PEER_FAILED_VERIFICATION;
+    }
 #ifdef USE_ECH
     else if(-1 == detail) {
       /* try access a retry_config ECHConfigList for tracing */