diff options
Diffstat (limited to '')
| -rw-r--r-- | src/tls/tls_verify.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/tls/tls_verify.c b/src/tls/tls_verify.c index f32f32b..c643f18 100644 --- a/src/tls/tls_verify.c +++ b/src/tls/tls_verify.c @@ -144,6 +144,7 @@ int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx) int depth; SSL *con; TLS_SESS_STATE *TLScontext; + EVP_PKEY *rpk = 0; /* May be NULL as of OpenSSL 1.0, thanks for the API change! */ cert = X509_STORE_CTX_get_current_cert(ctx); @@ -151,6 +152,10 @@ int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx) con = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); TLScontext = SSL_get_ex_data(con, TLScontext_index); depth = X509_STORE_CTX_get_error_depth(ctx); +#if OPENSSL_VERSION_PREREQ(3,2) + if (cert == 0) + rpk = X509_STORE_CTX_get0_rpk(ctx); +#endif /* * Transient failures to load the (DNS or synthetic TLSA) trust settings @@ -174,12 +179,15 @@ int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx) update_error_state(TLScontext, depth, cert, err); if (TLScontext->log_mask & TLS_LOG_VERBOSE) { - if (cert) + if (cert) { X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); - else - strcpy(buf, "<unknown>"); - msg_info("%s: depth=%d verify=%d subject=%s", - TLScontext->namaddr, depth, ok, printable(buf, '?')); + msg_info("%s: depth=%d verify=%d subject=%s", + TLScontext->namaddr, depth, ok, printable(buf, '?')); + } else if (rpk) { + msg_info("%s: verify=%d raw public key", TLScontext->namaddr, ok); + } else { + msg_info("%s: depth=%d verify=%d", TLScontext->namaddr, depth, ok); + } } return (1); } |