openssl: extend the OpenSSL error messages

Previously there were three error situations that only added the (unhelpful)
OpenSSL error strings, now we prefix those with a short explanation for the
error situation.

Reported-by: Jeroen Ooms
Fixes #15473
Closes #15474

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index b60869ddad8edda761b369f58e54326380156b13..e8be5d0ccd91048ffd3e6aa41a81ca0ce3c1e767 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -4237,7 +4237,8 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
         /* If client certificate is required, communicate the
            error to client */
         result = CURLE_SSL_CLIENTCERT;
-        ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+        failf(data, "TLS cert problem: %s",
+              ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
       }
 #endif
 #ifdef USE_ECH
@@ -4252,12 +4253,14 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
         ossl_trace_ech_retry_configs(data, octx->ssl, reason);
 
         result = CURLE_ECH_REQUIRED;
-        ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+        failf(data, "ECH required: %s",
+              ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
       }
 #endif
       else {
         result = CURLE_SSL_CONNECT_ERROR;
-        ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
+        failf(data, "TLS connect error: %s",
+              ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
       }
 
       /* detail is already set to the SSL error above */
@@ -4278,9 +4281,6 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
         return result;
       }
 
-      /* Could be a CERT problem */
-      failf(data, "%s", error_buffer);
-
       return result;
     }
   }