a3e77b68ce
- better patch (not only) for SCP/SFTP polling - improve error message for not matching common name (#516056)
46 lines
1.8 KiB
Diff
46 lines
1.8 KiB
Diff
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
|
|
--- curl-7.19.6.orig/lib/nss.c 2009-08-25 12:27:08.664828503 +0200
|
|
+++ curl-7.19.6/lib/nss.c 2009-08-28 11:51:37.764523702 +0200
|
|
@@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *ar
|
|
struct connectdata *conn = (struct connectdata *)arg;
|
|
PRErrorCode err = PR_GetError();
|
|
CERTCertificate *cert = NULL;
|
|
- char *subject, *issuer;
|
|
+ char *subject, *subject_cn, *issuer;
|
|
|
|
if(conn->data->set.ssl.certverifyresult!=0)
|
|
return success;
|
|
@@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *ar
|
|
conn->data->set.ssl.certverifyresult=err;
|
|
cert = SSL_PeerCertificate(sock);
|
|
subject = CERT_NameToAscii(&cert->subject);
|
|
+ subject_cn = CERT_GetCommonName(&cert->subject);
|
|
issuer = CERT_NameToAscii(&cert->issuer);
|
|
CERT_DestroyCertificate(cert);
|
|
|
|
@@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *ar
|
|
break;
|
|
case SSL_ERROR_BAD_CERT_DOMAIN:
|
|
if(conn->data->set.ssl.verifyhost) {
|
|
- failf(conn->data, "common name '%s' does not match '%s'",
|
|
- subject, conn->host.dispname);
|
|
+ failf(conn->data, "SSL: certificate subject name '%s' does not match "
|
|
+ "target host name '%s'", subject_cn, conn->host.dispname);
|
|
success = SECFailure;
|
|
} else {
|
|
- infof(conn->data, "warning: common name '%s' does not match '%s'\n",
|
|
- subject, conn->host.dispname);
|
|
+ infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
|
|
+ "match target host name '%s'\n", subject_cn, conn->host.dispname);
|
|
}
|
|
break;
|
|
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
|
@@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *ar
|
|
if(success == SECSuccess)
|
|
infof(conn->data, "SSL certificate verify ok.\n");
|
|
PR_Free(subject);
|
|
+ PR_Free(subject_cn);
|
|
PR_Free(issuer);
|
|
|
|
return success;
|