OpenSSL: Report peer certificate before stopping due to validation issue

This is needed to allow upper layer software to learn the hash of the
server certificate for allowing user to override trust root
configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-06-12 01:23:23 +03:00
parent 1363fdb283
commit 3539738cf5

View file

@ -2375,6 +2375,8 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
} }
#endif /* CONFIG_SHA256 */ #endif /* CONFIG_SHA256 */
openssl_tls_cert_event(conn, err_cert, depth, buf);
if (!preverify_ok) { if (!preverify_ok) {
wpa_printf(MSG_WARNING, "TLS: Certificate verification failed," wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
" error %d (%s) depth %d for '%s'", err, err_str, " error %d (%s) depth %d for '%s'", err, err_str,
@ -2431,8 +2433,7 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
openssl_tls_fail_event(conn, err_cert, err, depth, buf, openssl_tls_fail_event(conn, err_cert, err, depth, buf,
"Domain mismatch", "Domain mismatch",
TLS_FAIL_DOMAIN_MISMATCH); TLS_FAIL_DOMAIN_MISMATCH);
} else }
openssl_tls_cert_event(conn, err_cert, depth, buf);
if (conn->cert_probe && preverify_ok && depth == 0) { if (conn->cert_probe && preverify_ok && depth == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate " wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "