manually merge 0c6ce2f use x509_crt_verify_info()
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 430060b..a039290 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -187,24 +187,16 @@
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
- /* In real life, we may want to bail out when ret != 0 */
+ /* In real life, we probably want to bail out when ret != 0 */
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
mbedtls_printf( " failed\n" );
- if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! server certificate has expired\n" );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
- mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- mbedtls_printf( "\n" );
+ mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 892ca17..b6c776a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -373,29 +373,13 @@
mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
mbedtls_printf( "%s", buf );
- if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! server certificate has expired\n" );
-
- if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! server certificate has been revoked\n" );
-
- if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
- mbedtls_printf( " ! CN mismatch\n" );
-
- if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! CRL not trusted\n" );
-
- if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 )
- mbedtls_printf( " ! CRL expired\n" );
-
- if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 )
- mbedtls_printf( " ! other (unknown) flag\n" );
-
if ( ( *flags ) == 0 )
mbedtls_printf( " This certificate has no flags\n" );
+ else
+ {
+ mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
+ mbedtls_printf( "%s\n", buf );
+ }
return( 0 );
}
@@ -1287,21 +1271,13 @@
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
mbedtls_printf( " failed\n" );
- if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! server certificate has expired\n" );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
- mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
-
- if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- mbedtls_printf( "\n" );
+ mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index ca54070..371d9ad 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -163,7 +163,7 @@
}
}
-static int do_handshake( mbedtls_ssl_context *ssl, struct options *opt )
+static int do_handshake( mbedtls_ssl_context *ssl )
{
int ret;
unsigned char buf[1024];
@@ -195,24 +195,16 @@
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
- /* In real life, we may want to bail out when ret != 0 */
+ /* In real life, we probably want to bail out when ret != 0 */
if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
mbedtls_printf( " failed\n" );
- if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! server certificate has expired\n" );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
- mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt->server_name );
-
- if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- mbedtls_printf( "\n" );
+ mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
@@ -626,7 +618,7 @@
if( opt.mode == MODE_SSL_TLS )
{
- if( do_handshake( &ssl, &opt ) != 0 )
+ if( do_handshake( &ssl ) != 0 )
goto exit;
mbedtls_printf( " > Get header from server:" );
@@ -695,7 +687,7 @@
mbedtls_printf(" ok\n" );
- if( do_handshake( &ssl, &opt ) != 0 )
+ if( do_handshake( &ssl ) != 0 )
goto exit;
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b536c22..b6d41c5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1910,21 +1910,13 @@
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
mbedtls_printf( " failed\n" );
- if( !mbedtls_ssl_get_peer_cert( &ssl ) )
- mbedtls_printf( " ! no client certificate sent\n" );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
- if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! client certificate has expired\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! client certificate has been revoked\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- mbedtls_printf( "\n" );
+ mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );