TLS DNS: fix certificate verification error message reporting

author Artem Boldariev <artem@boldariev.com>

Tue, 11 Oct 2022 18:00:04 +0000 (21:00 +0300)

committer Artem Boldariev <artem@boldariev.com>

Wed, 12 Oct 2022 13:24:04 +0000 (16:24 +0300)
author Artem Boldariev <artem@boldariev.com>
Tue, 11 Oct 2022 18:00:04 +0000 (21:00 +0300)
committer Artem Boldariev <artem@boldariev.com>
Wed, 12 Oct 2022 13:24:04 +0000 (16:24 +0300)
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h

index 56d4792c2e5c9129df1afceba88f7147c3d665e4..aa23797c4905407792a33398811c0cc8fcc7ddd2 100644 (file)
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -891,6 +891,7 @@ struct isc_nmsocket {
                 /* List of active send requests. */
                 isc__nm_uvreq_t *pending_req;
                 bool alpn_negotiated;
+               const char *tls_verify_errmsg;
         } tls;
  
  #if HAVE_LIBNGHTTP2
diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c

index 051dbf814f4fc64b645936d34c84a8aaa9475a2a..7ec144941ecad1d8c1bc4028ed15193a04683dc9 100644 (file)
--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@@ -872,6 +872,12 @@ isc__nm_tlsdns_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result,
                 sock->tls.pending_req = NULL;
  
                 if (peer_verification_has_failed(sock)) {
+                       /*
+                        * Save error message as 'sock->tls' will get detached.
+                        */
+                       sock->tls.tls_verify_errmsg =
+                               isc_tls_verify_peer_result_string(
+                                       sock->tls.tls);
                         failure_result = ISC_R_TLSBADPEERCERT;
                 }
                 isc__nm_failed_connect_cb(sock, req, failure_result, async);
@@ -2082,6 +2088,13 @@ isc__nm_tlsdns_shutdown(isc_nmsocket_t *sock) {
                         sock->tls.pending_req = NULL;
  
                         if (peer_verification_has_failed(sock)) {
+                               /*
+                                * Save error message as 'sock->tls' will get
+                                * detached.
+                                */
+                               sock->tls.tls_verify_errmsg =
+                                       isc_tls_verify_peer_result_string(
+                                               sock->tls.tls);
                                 result = ISC_R_TLSBADPEERCERT;
                         }
                         isc__nm_failed_connect_cb(sock, req, result, false);
@@ -2174,7 +2187,7 @@ isc__nm_tlsdns_verify_tls_peer_result_string(const isc_nmhandle_t *handle) {
  
         sock = handle->sock;
         if (sock->tls.tls == NULL) {
-               return (NULL);
+               return (sock->tls.tls_verify_errmsg);
         }
  
         return (isc_tls_verify_peer_result_string(sock->tls.tls));
author	Artem Boldariev <artem@boldariev.com>
	Tue, 11 Oct 2022 18:00:04 +0000 (21:00 +0300)
committer	Artem Boldariev <artem@boldariev.com>
	Wed, 12 Oct 2022 13:24:04 +0000 (16:24 +0300)
lib/isc/netmgr/netmgr-int.h		patch \| blob \| blame \| history
lib/isc/netmgr/tlsdns.c		patch \| blob \| blame \| history