copy certs even on failure, so that they can be logged.

finalizing commit c157da82eb

diff --git a/src/main/tls.c b/src/main/tls.c
index 07f2c5b840fb9fbfc820ad95188d857116bc2287..09a2784209b26cfbb9429870124f7fcd028d8135 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -3048,6 +3048,12 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                char const *p = X509_verify_cert_error_string(err);
                RERROR("(TLS) OpenSSL says error %d : %s", err, p);
                REXDENT();
+
+               /*
+                *      Copy certs even on failure so that they can be logged.
+                */
+               if (certs && request) fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
+
                return my_ok;
        }
 
@@ -3365,6 +3371,10 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                ssn->client_cert_ok = (my_ok == 1);
        } /* depth == 0 */
 
+       /*
+        *      Copy certs to request even on failure, so that the
+        *      user can log them.
+        */
        if (certs && request && !my_ok) {
                fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs));
        }