From: William Lallemand Date: Tue, 15 Nov 2022 15:56:03 +0000 (+0100) Subject: MINOR: ssl: ssl_sock_load_cert_chain() display error strings X-Git-Tag: v2.7-dev9~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45fed2c7a6bb762d5a52b9355cedde15d6f7cd3b;p=thirdparty%2Fhaproxy.git MINOR: ssl: ssl_sock_load_cert_chain() display error strings Display error strings when SSL_CTX_use_certificate() or SSL_CTX_set1_chain() doesn't work. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 187e190b22..e066f286d7 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3640,6 +3640,9 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_ SSL_CTX *ctx, STACK_OF(X509) **find_chain, char **err) { int errcode = 0; + int ret; + + ERR_clear_error(); if (find_chain == NULL) { errcode |= ERR_FATAL; @@ -3647,8 +3650,9 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_ } if (!SSL_CTX_use_certificate(ctx, ckch->cert)) { - memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n", - err && *err ? *err : "", path); + ret = ERR_get_error(); + memprintf(err, "%sunable to load SSL certificate into SSL Context '%s': %s.\n", + err && *err ? *err : "", path, ERR_reason_error_string(ret)); errcode |= ERR_ALERT | ERR_FATAL; goto end; } @@ -3672,8 +3676,9 @@ static int ssl_sock_load_cert_chain(const char *path, const struct cert_key_and_ /* Load all certs in the ckch into the ctx_chain for the ssl_ctx */ #ifdef SSL_CTX_set1_chain if (!SSL_CTX_set1_chain(ctx, *find_chain)) { - memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n", - err && *err ? *err : "", path); + ret = ERR_get_error(); + memprintf(err, "%sunable to load chain certificate into SSL Context '%s': %s. Make sure you are linking against Openssl >= 1.0.2.\n", + err && *err ? *err : "", path, ERR_reason_error_string(ret)); errcode |= ERR_ALERT | ERR_FATAL; goto end; }