From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Wed, 15 Apr 2020 12:59:09 +0000 (+0300)
Subject: lib-ssl-iostream: Improve error messages for ssl_client_ca_* parsing errors
X-Git-Tag: 2.3.11.2~192
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22930af177723298a3a1ed78468fcc338ed096ae;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Improve error messages for ssl_client_ca_* parsing errors
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 2328b42c53..225c584cf7 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -281,13 +281,26 @@ static int
 load_ca_locations(struct ssl_iostream_context *ctx, const char *ca_file,
 		  const char *ca_dir, const char **error_r)
 {
-	if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, ca_file, ca_dir) == 0) {
+	if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, ca_file, ca_dir) != 0)
+		return 0;
+
+	if (ca_dir == NULL) {
+		*error_r = t_strdup_printf(
+			"Can't load CA certs from %s "
+			"(ssl_client_ca_file setting): %s",
+			ca_file, openssl_iostream_error());
+	} else if (ca_file == NULL) {
 		*error_r = t_strdup_printf(
-			"Can't load CA certs from directory %s: %s",
+			"Can't load CA certs from directory %s "
+			"(ssl_client_ca_dir setting): %s",
 			ca_dir, openssl_iostream_error());
-		return -1;
+	} else {
+		*error_r = t_strdup_printf(
+			"Can't load CA certs from file %s and directory %s "
+			"(ssl_client_ca_* settings): %s",
+			ca_file, ca_dir, openssl_iostream_error());
 	}
-	return 0;
+	return -1;
 }
 
 static void