From: Timo Sirainen <tss@iki.fi>
Date: Tue, 29 Sep 2009 14:15:18 +0000 (-0400)
Subject: ssl: If given ssl key is for a different cert, give a nicer error message.
X-Git-Tag: 2.0.alpha1~107
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8e1691ee088d082758c995dc8adf842dfbdeec04;p=thirdparty%2Fdovecot%2Fcore.git

ssl: If given ssl key is for a different cert, give a nicer error message.

--HG--
branch : HEAD
---

diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index fa210f02d4..bf046ffcd1 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -925,13 +925,24 @@ static EVP_PKEY *ssl_proxy_load_key(const struct login_settings *set)
 	return pkey;
 }
 
+static const char *ssl_key_load_error(void)
+{
+	unsigned long err = ERR_peek_error();
+
+	if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+	    ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH)
+		return "Key is for a different cert than ssl_cert";
+	else
+		return ssl_last_error();
+}
+
 static void ssl_proxy_ctx_use_key(SSL_CTX *ctx, const struct login_settings *set)
 {
 	EVP_PKEY *pkey;
 
 	pkey = ssl_proxy_load_key(set);
 	if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1)
-		i_fatal("Can't load private ssl_key: %s", ssl_last_error());
+		i_fatal("Can't load private ssl_key: %s", ssl_key_load_error());
 	EVP_PKEY_free(pkey);
 }
 
@@ -941,7 +952,7 @@ static int ssl_proxy_use_key(SSL *ssl, const struct login_settings *set)
 
 	pkey = ssl_proxy_load_key(set);
 	if (SSL_use_PrivateKey(ssl, pkey) != 1) {
-		i_error("Can't load private ssl_key: %s", ssl_last_error());
+		i_error("Can't load private ssl_key: %s", ssl_key_load_error());
 		return -1;
 	}
 	EVP_PKEY_free(pkey);