TLS DNS: fix certificate verification error message reporting

This commit fixes TLS DNS verification error message reporting which
we probably broke during one of the recent networking code
refactorings.

This prevent e.g. dig from producing useful error messages related to
TLS certificates verification.

diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 1417d7c68bf6e6b4b213d5bdeea5b411d88d4ef3..0aba2b8b599603e40a55a1deda529143e8e60a15 100644 (file)
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -1003,6 +1003,7 @@ struct isc_nmsocket {
                /* List of active send requests. */
                isc__nm_uvreq_t *pending_req;
                bool alpn_negotiated;
+               const char *tls_verify_errmsg;
        } tls;
 
 #if HAVE_LIBNGHTTP2

diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c
index a0d55203abfa7aa7d170e7316ca12daaf6221c9a..c624b3c36b6aa03592b2c3365790c4489ba3c846 100644 (file)
--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@@ -863,6 +863,12 @@ isc__nm_tlsdns_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result,
                sock->tls.pending_req = NULL;
 
                if (peer_verification_has_failed(sock)) {
+                       /*
+                        * Save error message as 'sock->tls' will get detached.
+                        */
+                       sock->tls.tls_verify_errmsg =
+                               isc_tls_verify_peer_result_string(
+                                       sock->tls.tls);
                        failure_result = ISC_R_TLSBADPEERCERT;
                }
                isc__nm_failed_connect_cb(sock, req, failure_result, async);
@@ -2121,6 +2127,13 @@ isc__nm_tlsdns_shutdown(isc_nmsocket_t *sock) {
                        sock->tls.pending_req = NULL;
 
                        if (peer_verification_has_failed(sock)) {
+                               /*
+                                * Save error message as 'sock->tls' will get
+                                * detached.
+                                */
+                               sock->tls.tls_verify_errmsg =
+                                       isc_tls_verify_peer_result_string(
+                                               sock->tls.tls);
                                result = ISC_R_TLSBADPEERCERT;
                        }
                        isc__nm_failed_connect_cb(sock, req, result, false);
@@ -2214,7 +2227,7 @@ isc__nm_tlsdns_verify_tls_peer_result_string(const isc_nmhandle_t *handle) {
 
        sock = handle->sock;
        if (sock->tls.tls == NULL) {
-               return (NULL);
+               return (sock->tls.tls_verify_errmsg);
        }
 
        return (isc_tls_verify_peer_result_string(sock->tls.tls));