Description: Make use of gnutls_certificate_verification_status_print
instead of only checking a selection of verification errors.
Author: Andreas Metzler
Origin: vendor
Bug:
Bug-Debian: https://bugs.debian.org/
Bug-Ubuntu: https://launchpad.net/bugs/
Forwarded:
Reviewed-By:
Last-Update:
--- a/WWW/Library/Implementation/HTTP.c
+++ b/WWW/Library/Implementation/HTTP.c
@@ -782,23 +782,22 @@ static int HTLoadHTTP(const char *arg,
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status);
- if (ret < 0 || (ret == 0 &&
- tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
- int flag_continue = 1;
- char *msg2;
+ if (ret < 0 || tls_status != 0) {
+ int flag_continue = 1, type;
+ gnutls_datum_t out;
- if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
- msg2 = gettext("the certificate has no known issuer");
- } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
- msg2 = gettext("no issuer was found");
- } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_CA) {
- msg2 = gettext("issuer is not a CA");
- } else if (tls_status & GNUTLS_CERT_REVOKED) {
- msg2 = gettext("the certificate has been revoked");
- } else {
- msg2 = gettext("the certificate is not trusted");
+ if (ret < 0) {
+ HTSprintf0(&msg, SSL_FORCED_PROMPT, gettext(
+ "GnuTLS error when trying to verify certificate."));
+ }
+ else
+ {
+ type = gnutls_certificate_type_get(handle->gnutls_state);
+ ret = gnutls_certificate_verification_status_print (tls_status,
+ type, &out, 0);
+ HTSprintf0(&msg, SSL_FORCED_PROMPT, out.data);
+ gnutls_free(out.data);
}
- HTSprintf0(&msg, SSL_FORCED_PROMPT, msg2);
CTRACE((tfp, "HTLoadHTTP: %s\n", msg));
if (!ssl_noprompt) {
if (!HTForcedPrompt(ssl_noprompt, msg, YES)) {