From 5c243b6c4cfe48dd9d9ba34464fdd458043a8484 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Sat, 18 Feb 2017 20:30:59 +0100 Subject: [PATCH] TLSClient: Improve diagnostics Task now correctly distinguishes the situation where CA file is present, but not valid in some sense (empty file, not valid PEM, ..). In this case the gnutls_certificate_set_x509_trust_file returns 0, as the number of certificates detected in the file. The method returns negative numbers for other errors, such as the CA file itself missing. Also clarify that when validating client cert/key pair, each of them can be the source of the problem, not only the cliet certificate file. --- src/TLSClient.cpp | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/TLSClient.cpp b/src/TLSClient.cpp index 88e450ff0..ea16987bc 100644 --- a/src/TLSClient.cpp +++ b/src/TLSClient.cpp @@ -157,15 +157,24 @@ void TLSClient::init ( throw format ("Bad System Trust. {1}", gnutls_strerror (ret)); // All #endif - if (_ca != "" && - (ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM)) < 0) // All - throw format ("Bad CA file. {1}", gnutls_strerror (ret)); // All + if (_ca != "") + { + // The gnutls_certificate_set_x509_key_file call returns number of + // certificates parsed on success (including 0, when no certificate was + // found) and negative values on error + ret = gnutls_certificate_set_x509_trust_file (_credentials, _ca.c_str (), GNUTLS_X509_FMT_PEM); // All + if (ret == 0) + throw format ("CA file {1} contains no certificate.", _ca); + else if (ret < 0) + throw format ("Bad CA file: {1}", gnutls_strerror (ret)); // All + + } // TODO This may need 0x030111 protection. if (_cert != "" && _key != "" && (ret = gnutls_certificate_set_x509_key_file (_credentials, _cert.c_str (), _key.c_str (), GNUTLS_X509_FMT_PEM)) < 0) // 3.1.11 - throw format ("Bad CERT file. {1}", gnutls_strerror (ret)); // All + throw format ("Bad client CERT/KEY file. {1}", gnutls_strerror (ret)); // All #if GNUTLS_VERSION_NUMBER < 0x030406 #if GNUTLS_VERSION_NUMBER >= 0x020a00