From: Arne Schwabe Date: Tue, 19 Oct 2021 18:31:22 +0000 (+0200) Subject: Add message when decoding PKCS12 file fails. X-Git-Tag: v2.6_beta1~414 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ac4e63c577986ec11eae3519fe8516e8ca8ac0f;p=thirdparty%2Fopenvpn.git Add message when decoding PKCS12 file fails. Currently we never display the OpenSSL error stack when decoding a PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure might not be a wrong password but can actually be an unsupported encoding, seeing the error stack is really helpful (example from OpenSSL 3.0): error:0308010C:digital envelope routines:inner_evp_generic_fetch: unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () to pinpoint the issue Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211019183127.614175-17-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23017.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 9a7cb9c64..30fc7aef1 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -806,6 +806,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { + crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password " + "or unsupported/legacy encryption"); #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) {