From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Tue, 24 Jul 2018 06:51:39 +0000 (+0300)
Subject: lib-ssl-iostream: If certificate check fails, suggest checking ssl ca settings
X-Git-Tag: 2.3.6~119
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9da7d814fa25d0f75a9c499fce6098a4352cbba9;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: If certificate check fails, suggest checking ssl ca settings
---

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 037fd0bae2..b0393361d5 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -130,8 +130,11 @@ openssl_iostream_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
 		certname[sizeof(certname)-1] = '\0'; /* just in case.. */
 	if (preverify_ok == 0) {
 		openssl_iostream_set_error(ssl_io, t_strdup_printf(
-			"Received invalid SSL certificate: %s: %s",
-			X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname));
+			"Received invalid SSL certificate: %s: %s (check %s)",
+			X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname,
+			ssl_io->ctx->client_ctx ?
+				"ssl_client_ca_* settings?" :
+				"ssl_ca setting?"));
 		if (ssl_io->verbose_invalid_cert)
 			i_info("%s", ssl_io->last_error);
 	} else if (ssl_io->verbose) {