Changeset 3b2edd6 in mod_gnutls

Timestamp:

Jan 16, 2020, 2:50:04 PM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master, proxy-ticket

Children:

e24e3bf9

Parents:

ee2854b

Message:

Use GnuTLS' certificate status text instead of hard-coded cases

gnutls_certificate_verification_status_print() replaces a bunch of
ifs.

File:

• src/gnutls_hooks.c (modified) (1 diff)

src/gnutls_hooks.c

@@ -1791 +1791 @@
     cur_time = apr_time_now();
 
-    if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+    if (status != 0) {
+        gnutls_datum_t errmsg;
+        gnutls_certificate_verification_status_print(
+            status, gnutls_certificate_type_get(ctxt->session),
+            &errmsg, 0);
         ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                "GnuTLS: Could not find Signer for Peer Certificate");
-    }
-
-    if (status & GNUTLS_CERT_SIGNER_NOT_CA) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                "GnuTLS: Peer's Certificate signer is not a CA");
-    }
-
-    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                "GnuTLS: Peer's Certificate is using insecure algorithms");
-    }
-
-    if (status & GNUTLS_CERT_EXPIRED
-            || status & GNUTLS_CERT_NOT_ACTIVATED) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                "GnuTLS: Peer's Certificate signer is expired or not yet activated");
-    }
-
-    if (status & GNUTLS_CERT_INVALID) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                "GnuTLS: Peer Certificate is invalid.");
-    } else if (status & GNUTLS_CERT_REVOKED) {
-        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                "GnuTLS: Peer Certificate is revoked.");
+                      "Client authentication failed: %s", errmsg.data);
+        gnutls_free(errmsg.data);
     }