From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 7 Jan 2018 20:24:46 +0000 (+0000)
Subject: OpenSSL: better debug info for OCSP
X-Git-Tag: exim-4_91_RC1~110
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=57887eccbbb5043d2a25777d081f54c870b256c8;p=exim.git

OpenSSL: better debug info for OCSP
---

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7735bd971..e269854ff 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1364,7 +1364,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
     int status, reason;
     ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
 
-    DEBUG(D_tls) bp = BIO_new_fp(stderr, BIO_NOCLOSE);
+    DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
 
     /*OCSP_RESPONSE_print(bp, rsp, 0);   extreme debug: stapling content */
 
@@ -1375,10 +1375,12 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
 	      cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
       {
       tls_out.ocsp = OCSP_FAILED;
-      if (LOGGING(tls_cipher))
-	log_write(0, LOG_MAIN, "Received TLS cert status response, itself unverifiable");
+      if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
+	      "Received TLS cert status response, itself unverifiable: %s",
+	      ERR_reason_error_string(ERR_peek_error()));
       BIO_printf(bp, "OCSP response verify failure\n");
       ERR_print_errors(bp);
+      OCSP_RESPONSE_print(bp, rsp, 0);
       goto failed;
       }
 
@@ -1810,7 +1812,7 @@ if (expcerts && *expcerts)
 	   )
 	  {
 	  log_write(0, LOG_MAIN|LOG_PANIC,
-	    "failed to load cert hain from %s", file);
+	    "failed to load cert chain from %s", file);
 	  return DEFER;
 	  }
 #endif