Always print detailed cert errors in test programs
Previously the client was only printing them on handshake success, and
the server was printing them on success and some but not all failures.
This makes ssl-opt.sh more consistent as we can always check for the
presence of the expected message in the output, regardless of whether
the failure is hard or soft.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 43133d9..64564ab 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2204,7 +2204,9 @@
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n",
(unsigned int) -ret);
- if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+ if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
mbedtls_printf(
" Unable to verify the server's certificate. "
"Either it is invalid,\n"
@@ -2215,7 +2217,13 @@
"not using TLS 1.3.\n"
" For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`"
"or other folder that has root certificates\n");
+
+ flags = mbedtls_ssl_get_verify_result(&ssl);
+ char vrfy_buf[512];
+ x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
+ mbedtls_printf("%s\n", vrfy_buf);
}
+#endif
mbedtls_printf("\n");
goto exit;
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a5d2ed1..0f871f7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3504,7 +3504,8 @@
(unsigned int) -ret);
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
- if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+ if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+ ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
char vrfy_buf[512];
flags = mbedtls_ssl_get_verify_result(&ssl);
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 895d8fc..6956805 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -7736,7 +7736,7 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-" \
-c "send alert level=2 message=43" \
- -C "! Usage does not match the keyUsage extension"
+ -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail, soft" \
@@ -7771,7 +7771,7 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-" \
-c "send alert level=2 message=43" \
- -C "! Usage does not match the keyUsage extension"
+ -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail, soft" \
@@ -7822,7 +7822,7 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \
-c "send alert level=2 message=43" \
- -C "! Usage does not match the keyUsage extension"
+ -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
@@ -7837,7 +7837,7 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \
-c "send alert level=2 message=43" \
- -C "! Usage does not match the keyUsage extension"
+ -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
@@ -7864,7 +7864,7 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \
-c "send alert level=2 message=43" \
- -C "! Usage does not match the keyUsage extension"
+ -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral
@@ -7879,7 +7879,7 @@
-c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \
-c "send alert level=2 message=43" \
- -C "! Usage does not match the keyUsage extension"
+ -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
# Tests for keyUsage in leaf certificates, part 3:
@@ -7916,6 +7916,7 @@
1 \
-s "bad certificate (usage extensions)" \
-s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-s "Processing of the Certificate handshake message failed"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
@@ -7948,6 +7949,7 @@
1 \
-s "bad certificate (usage extensions)" \
-s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-s "Processing of the Certificate handshake message failed"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
@@ -7999,6 +8001,7 @@
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed" \
-s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-s "! mbedtls_ssl_handshake returned"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
#
@@ -8040,6 +8043,7 @@
-s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed" \
-s "send alert level=2 message=43" \
+ -s "! Usage does not match the keyUsage extension" \
-s "! mbedtls_ssl_handshake returned"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
#