From 89474b9f712f46ff7f69e92f17f932cc1c977f52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 23 Oct 2012 17:46:22 +0300 Subject: [PATCH 21/21] ssl-verify: use more explicit error message When the server certificate is not being signed by the provided CA, the SSL debug message is currently for example: ssl_verify.c:428:openssl_verify: openssl verify:num=19:self signed certificate in certificate chain:depth=1:/C=IL/L=Raanana/O=Red Hat/CN=my CA Add a more explicit debug message too, as requested in bug: https://bugzilla.redhat.com/show_bug.cgi?id=846666 --- spice-common/common/ssl_verify.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/spice-common/common/ssl_verify.c b/spice-common/common/ssl_verify.c index 6c9deca..e10ed52 100644 --- a/spice-common/common/ssl_verify.c +++ b/spice-common/common/ssl_verify.c @@ -434,6 +434,9 @@ static int openssl_verify(int preverify_ok, X509_STORE_CTX *ctx) v->verifyop & SPICE_SSL_VERIFY_OP_PUBKEY) return 1; + if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) + spice_debug("server certificate not being signed by the provided CA"); + return 0; } else return 1; -- 1.7.12.1