From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 7 Oct 2018 23:12:08 +0000 (+0100)
Subject: Debug: output GnuTLS verbose reason for certificate verify refusal
X-Git-Tag: exim-4.92-RC1~80
X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=184384c323338c577cf3da314b3d0cd94b372d8e;hp=43d1f6cd753b9104d58a48e0a8f9afca8ddd74b2;ds=sidebyside

Debug: output GnuTLS verbose reason for certificate verify refusal
---

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 1430f2f3c..86d005d68 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -39,6 +39,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #include <gnutls/x509.h>
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include <gnutls/crypto.h>
+
 /* needed to disable PKCS11 autoload unless requested */
 #if GNUTLS_VERSION_NUMBER >= 0x020c00
 # include <gnutls/pkcs11.h>
@@ -60,6 +61,9 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #if GNUTLS_VERSION_NUMBER >= 0x030014
 # define SUPPORT_SYSDEFAULT_CABUNDLE
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030104
+# define GNUTLS_CERT_VFY_STATUS_PRINT
+#endif
 #if GNUTLS_VERSION_NUMBER >= 0x030109
 # define SUPPORT_CORK
 #endif
@@ -1743,8 +1747,24 @@ if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
   {
   state->peer_cert_verified = FALSE;
   if (!*errstr)
+    {
+#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
+    DEBUG(D_tls)
+      {
+      gnutls_datum_t txt;
+
+      if (gnutls_certificate_verification_status_print(verify,
+	    gnutls_certificate_type_get(state->session), &txt, 0)
+	  == GNUTLS_E_SUCCESS)
+	{
+	debug_printf("%s\n", txt.data);
+	gnutls_free(txt.data);
+	}
+      }
+#endif
     *errstr = verify & GNUTLS_CERT_REVOKED
       ? US"certificate revoked" : US"certificate invalid";
+    }
 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",