Skip to content

Commit 7b0ae45

Browse files
rheniumrhenium
committed
Merge branch 'topic/ssl-certificate-verify-error-desc'
* topic/ssl-certificate-verify-error-desc: ssl: show reason of 'certificate verify error' in exception message Make exceptions with the same format regardless of OpenSSL.debug
2 parents bb0d1af + 654e024 commit 7b0ae45

File tree

3 files changed

+49
-8
lines changed

3 files changed

+49
-8
lines changed

ext/openssl/ossl.c

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -260,27 +260,24 @@ static VALUE
260260
ossl_make_error(VALUE exc, const char *fmt, va_list args)
261261
{
262262
VALUE str = Qnil;
263-
const char *msg;
264-
long e;
263+
unsigned long e;
265264

266-
e = ERR_peek_last_error();
267265
if (fmt) {
268266
str = rb_vsprintf(fmt, args);
269267
}
268+
e = ERR_peek_last_error();
270269
if (e) {
271-
if (dOSSL == Qtrue) /* FULL INFO */
272-
msg = ERR_error_string(e, NULL);
273-
else
274-
msg = ERR_reason_error_string(e);
270+
const char *msg = ERR_reason_error_string(e);
271+
275272
if (NIL_P(str)) {
276273
if (msg) str = rb_str_new_cstr(msg);
277274
}
278275
else {
279276
if (RSTRING_LEN(str)) rb_str_cat2(str, ": ");
280277
rb_str_cat2(str, msg ? msg : "(null)");
281278
}
279+
ossl_clear_error();
282280
}
283-
ossl_clear_error();
284281

285282
if (NIL_P(str)) str = rb_str_new(0, 0);
286283
return rb_exc_new3(exc, str);

ext/openssl/ossl_ssl.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1521,6 +1521,9 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
15211521
int ret, ret2;
15221522
VALUE cb_state;
15231523
int nonblock = opts != Qfalse;
1524+
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
1525+
unsigned long err;
1526+
#endif
15241527

15251528
rb_ivar_set(self, ID_callback_state, Qnil);
15261529

@@ -1554,6 +1557,23 @@ ossl_start_ssl(VALUE self, int (*func)(), const char *funcname, VALUE opts)
15541557
case SSL_ERROR_SYSCALL:
15551558
if (errno) rb_sys_fail(funcname);
15561559
ossl_raise(eSSLError, "%s SYSCALL returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
1560+
#if defined(SSL_R_CERTIFICATE_VERIFY_FAILED)
1561+
case SSL_ERROR_SSL:
1562+
err = ERR_peek_last_error();
1563+
if (ERR_GET_LIB(err) == ERR_LIB_SSL &&
1564+
ERR_GET_REASON(err) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
1565+
const char *err_msg = ERR_reason_error_string(err),
1566+
*verify_msg = X509_verify_cert_error_string(SSL_get_verify_result(ssl));
1567+
if (!err_msg)
1568+
err_msg = "(null)";
1569+
if (!verify_msg)
1570+
verify_msg = "(null)";
1571+
ossl_clear_error(); /* let ossl_raise() not append message */
1572+
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s: %s (%s)",
1573+
funcname, ret2, errno, SSL_state_string_long(ssl),
1574+
err_msg, verify_msg);
1575+
}
1576+
#endif
15571577
default:
15581578
ossl_raise(eSSLError, "%s returned=%d errno=%d state=%s", funcname, ret2, errno, SSL_state_string_long(ssl));
15591579
}

test/test_ssl.rb

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -745,6 +745,30 @@ def test_verify_hostname_on_connect
745745
end
746746
end
747747

748+
def test_connect_certificate_verify_failed_exception_message
749+
start_server(ignore_listener_error: true) { |server, port|
750+
ctx = OpenSSL::SSL::SSLContext.new
751+
ctx.set_params
752+
assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {
753+
server_connect(port, ctx)
754+
}
755+
}
756+
757+
ctx_proc = proc { |ctx|
758+
ctx.cert = issue_cert(@svr, @svr_key, 30, [], @ca_cert, @ca_key,
759+
not_before: Time.now-100, not_after: Time.now-10)
760+
}
761+
start_server(ignore_listener_error: true, ctx_proc: ctx_proc) { |server, port|
762+
store = OpenSSL::X509::Store.new
763+
store.add_cert(@ca_cert)
764+
ctx = OpenSSL::SSL::SSLContext.new
765+
ctx.set_params(cert_store: store)
766+
assert_raise_with_message(OpenSSL::SSL::SSLError, /expired/) {
767+
server_connect(port, ctx)
768+
}
769+
}
770+
end
771+
748772
def test_multibyte_read_write
749773
#German a umlaut
750774
auml = [%w{ C3 A4 }.join('')].pack('H*')

0 commit comments

Comments
 (0)