From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 19 Jul 2018 06:22:11 +0000 (+0000)
Subject: - Fix #4129 unbound-control error message with wrong cert permissions
X-Git-Tag: release-1.8.0rc1~91
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=38e77d50f2182fdde97ab48b82ff1cd590a75f78;p=thirdparty%2Funbound.git

- Fix #4129 unbound-control error message with wrong cert permissions
  is too cryptic.


git-svn-id: file:///svn/unbound/trunk@4791 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 4b3b61c39..4a4a2347c 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+19 July 2018: Wouter
+	- Fix #4129 unbound-control error message with wrong cert permissions
+	  is too cryptic.
+
 17 July 2018: Wouter
 	- Fix #4127 unbound -h does not list -p help.
 	- Print error if SSL name verification configured but not available
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index ddaa05742..f6597b79a 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -447,6 +447,22 @@ static void ssl_err(const char* s)
 	exit(1);
 }
 
+/** exit with ssl error related to a file path */
+static void ssl_path_err(const char* s, const char *path)
+{
+	unsigned long err;
+	err = ERR_peek_error();
+	if (ERR_GET_LIB(err) == ERR_LIB_SYS &&
+		(ERR_GET_FUNC(err) == SYS_F_FOPEN ||
+		 ERR_GET_FUNC(err) == SYS_F_FREAD) ) {
+		fprintf(stderr, "error: %s\n%s: %s\n",
+			s, path, ERR_reason_error_string(err));
+		exit(1);
+	} else {
+		ssl_err(s);
+	}
+}
+
 /** setup SSL context */
 static SSL_CTX*
 setup_ctx(struct config_file* cfg)
@@ -470,12 +486,15 @@ setup_ctx(struct config_file* cfg)
 	if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
 		!= SSL_OP_NO_SSLv3)
 		ssl_err("could not set SSL_OP_NO_SSLv3");
-	if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert) ||
-	    !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
-	    || !SSL_CTX_check_private_key(ctx))
-		ssl_err("Error setting up SSL_CTX client key and cert");
+	if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
+		ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
+	if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
+		ssl_path_err("Error setting up SSL_CTX client key", c_key);
+	if (!SSL_CTX_check_private_key(ctx))
+		ssl_err("Error setting up SSL_CTX client key");
 	if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1)
-		ssl_err("Error setting up SSL_CTX verify, server cert");
+		ssl_path_err("Error setting up SSL_CTX verify, server cert",
+			     s_cert);
 	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
 
 	free(s_cert);