From 3539738cf54b9505b3131ecfc873128beb32166c Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 12 Jun 2019 01:23:23 +0300 Subject: [PATCH] OpenSSL: Report peer certificate before stopping due to validation issue This is needed to allow upper layer software to learn the hash of the server certificate for allowing user to override trust root configuration. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 9980f032d..3c142d34d 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2375,6 +2375,8 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) } #endif /* CONFIG_SHA256 */ + openssl_tls_cert_event(conn, err_cert, depth, buf); + if (!preverify_ok) { wpa_printf(MSG_WARNING, "TLS: Certificate verification failed," " error %d (%s) depth %d for '%s'", err, err_str, @@ -2431,8 +2433,7 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) openssl_tls_fail_event(conn, err_cert, err, depth, buf, "Domain mismatch", TLS_FAIL_DOMAIN_MISMATCH); - } else - openssl_tls_cert_event(conn, err_cert, depth, buf); + } if (conn->cert_probe && preverify_ok && depth == 0) { wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "