nts: log details about failed certificate verification

author Miroslav Lichvar <mlichvar@redhat.com>

Tue, 7 Jul 2020 10:33:46 +0000 (12:33 +0200)

committer Miroslav Lichvar <mlichvar@redhat.com>

Thu, 9 Jul 2020 12:46:57 +0000 (14:46 +0200)
author Miroslav Lichvar <mlichvar@redhat.com>
Tue, 7 Jul 2020 10:33:46 +0000 (12:33 +0200)
committer Miroslav Lichvar <mlichvar@redhat.com>
Thu, 9 Jul 2020 12:46:57 +0000 (14:46 +0200)
diff --git a/nts_ke_session.c b/nts_ke_session.c

index 7dfb0c4128e4fd80c82631948a027193d80e962e..05ca99f384f2e0edb0f754e4874a10925820e9da 100644 (file)
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -393,8 +393,22 @@ handle_event(NKSN_Instance inst, int event)
  
        if (r < 0) {
          if (gnutls_error_is_fatal(r)) {
+          gnutls_datum_t cert_error;
+
+          /* Get a description of verification errors */
+          if (r != GNUTLS_E_CERTIFICATE_VERIFICATION_ERROR ||
+              gnutls_certificate_verification_status_print(
+                          gnutls_session_get_verify_cert_status(inst->tls_session),
+                          gnutls_certificate_type_get(inst->tls_session), &cert_error, 0) < 0)
+            cert_error.data = NULL;
+
            LOG(inst->server ? LOGS_DEBUG : LOGS_ERR,
-              "TLS handshake with %s failed : %s", inst->label, gnutls_strerror(r));
+              "TLS handshake with %s failed : %s%s%s", inst->label, gnutls_strerror(r),
+              cert_error.data ? " " : "", cert_error.data ? (const char *)cert_error.data : "");
+
+          if (cert_error.data)
+            gnutls_free(cert_error.data);
+
            stop_session(inst);
  
            /* Increase the retry interval if the handshake did not fail due
author	Miroslav Lichvar <mlichvar@redhat.com>
	Tue, 7 Jul 2020 10:33:46 +0000 (12:33 +0200)
committer	Miroslav Lichvar <mlichvar@redhat.com>
	Thu, 9 Jul 2020 12:46:57 +0000 (14:46 +0200)