From: ghulands <ghulands@me.com>
Date: Wed, 17 Jul 2019 01:06:33 +0000 (+0000)
Subject: Detail validation errors for loaded-from-file certificate chains (#438)
X-Git-Tag: SQUID_5_0_1~68
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e10182dab0294c9ca46d45193b203711a3996a6f;p=thirdparty%2Fsquid.git

Detail validation errors for loaded-from-file certificate chains (#438)
---

diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc
index 2ce1b5ac57..f20827ab50 100644
--- a/src/security/KeyData.cc
+++ b/src/security/KeyData.cc
@@ -119,14 +119,15 @@ Security::KeyData::loadX509ChainFromFile()
             }
 #endif
             // checks that the chained certs are actually part of a chain for validating cert
-            if (X509_check_issued(ca, latestCert.get()) == X509_V_OK) {
+            const auto checkCode = X509_check_issued(ca, latestCert.get());
+            if (checkCode == X509_V_OK) {
                 debugs(83, DBG_PARSE_NOTE(3), "Adding issuer CA: " << nameStr);
                 // OpenSSL API requires that we order certificates such that the
                 // chain can be appended directly into the on-wire traffic.
                 latestCert = CertPointer(ca);
                 chain.emplace_front(latestCert);
             } else {
-                debugs(83, DBG_PARSE_NOTE(2), "Ignoring non-issuer CA from " << certFile << ": " << nameStr);
+                debugs(83, DBG_PARSE_NOTE(2), certFile << ": Ignoring non-issuer CA " << nameStr << ": " << X509_verify_cert_error_string(checkCode) << " (" << checkCode << ")");
             }
             OPENSSL_free(nameStr);
         }