Armel Asselin separated CA cert verification problems from problems with

reading the (local) CA cert file to let users easier pinpoint the actual
problem. CURLE_SSL_CACERT_BADFILE (77) is the new libcurl error code.

diff --git a/CHANGES b/CHANGES
index 67020ae4d8b5342a09bda0aa12820e750761aca4..6d91774b25218cc4b3e0c4312746d7eecf7c970e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
 
                                   Changelog
 
+Daniel (21 October 2006)
+- Armel Asselin separated CA cert verification problems from problems with
+  reading the (local) CA cert file to let users easier pinpoint the actual
+  problem. CURLE_SSL_CACERT_BADFILE (77) is the new libcurl error code.
+
 Daniel (18 October 2006)
 - Removed the "protocol-guessing" for URLs with host names starting with FTPS
   or TELNET since they are practically non-existant. This leaves us with only

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6fd5cc1cb9a1825c9e6eb93bbf21de14c8d6847c..1d8f6424157dc0fb0d018f7026644661e01badd7 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -10,7 +10,8 @@ Curl and libcurl 7.16.0
  Number of contributors:                   515
 
 This release includes the following changes:
-
+ 
+ o Added CURLE_SSL_CACERT_BADFILE
  o Added CURLMOPT_TIMERFUNCTION
  o The CURLOPT_SOURCE_* options are removed and so are the --3p* command line
    options

diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3
index 1d693600249d45e654e15702fc405e41753201c5..062bf83de7b1f57ff0dadbd4947a29457c37b580 100644 (file)
--- a/docs/libcurl/libcurl-errors.3
+++ b/docs/libcurl/libcurl-errors.3
@@ -174,7 +174,7 @@ problem with the local client certificate
 .IP "CURLE_SSL_CIPHER (59)"
 couldn't use specified cipher
 .IP "CURLE_SSL_CACERT (60)"
-problem with the CA cert (path? access rights?) 
+peer certificate cannot be authenticated with known CA certificates
 .IP "CURLE_BAD_CONTENT_ENCODING (61)"
 Unrecognized transfer encoding
 .IP "CURLE_LDAP_INVALID_URL (62)"
@@ -208,6 +208,8 @@ No such TFTP user
 Character conversion failed
 .IP "CURLE_CONV_REQD (76)"
 Caller must register conversion callbacks
+.IP "CURLE_SSL_CACERT_BADFILE (77)"
+Problem with reading the SSL CA cert (path? access rights?)
 .SH "CURLMcode"
 This is the generic return code used by functions in the libcurl multi
 interface. Also consider \fIcurl_multi_strerror(3)\fP.

diff --git a/include/curl/curl.h b/include/curl/curl.h
index 548c7f8484aa5208f97a5456345efb6108271511..36b52bb05d80bc37948d3b8bee88ea796af0d579 100644 (file)
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -390,6 +390,8 @@ typedef enum {
                                     CURLOPT_CONV_FROM_NETWORK_FUNCTION,
                                     CURLOPT_CONV_TO_NETWORK_FUNCTION, and
                                     CURLOPT_CONV_FROM_UTF8_FUNCTION */
+  CURLE_SSL_CACERT_BADFILE,      /* 77 - could not load CACERT file, missing
+                                    or wrong format */
   CURL_LAST /* never use! */
 } CURLcode;
 

diff --git a/lib/gtls.c b/lib/gtls.c
index b202adfd44c5e872336e81dd3e0ec031d93a3d51..02680d02bff9286dc6cc758020a089ad8f085277 100644 (file)
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2005, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -234,9 +234,12 @@ Curl_gtls_connect(struct connectdata *conn,
     rc = gnutls_certificate_set_x509_trust_file(conn->ssl[sockindex].cred,
                                                 data->set.ssl.CAfile,
                                                 GNUTLS_X509_FMT_PEM);
-    if(rc < 0)
+    if(rc < 0) {
       infof(data, "error reading ca cert file %s (%s)\n",
             data->set.ssl.CAfile, gnutls_strerror(rc));
+      if (data->set.ssl.verifypeer)
+        return CURLE_SSL_CACERT_BADFILE;
+    }
     else
       infof(data, "found %d certificates in %s\n",
             rc, data->set.ssl.CAfile);

diff --git a/lib/ssluse.c b/lib/ssluse.c
index 2d6a6fed6a6bd8d6a93d54c7498ba7a3e0d3bcaa..28c2ef62b047477ee7264b8f0e2027f66783ff2d 100644 (file)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1272,7 +1272,7 @@ Curl_ossl_connect_step1(struct connectdata *conn,
               "  CAfile: %s\n  CApath: %s\n",
               data->set.ssl.CAfile ? data->set.ssl.CAfile : "none",
               data->set.ssl.CApath ? data->set.ssl.CApath : "none");
-        return CURLE_SSL_CACERT;
+        return CURLE_SSL_CACERT_BADFILE;
       }
       else {
         /* Just continue with a warning if no strict  certificate verification

diff --git a/lib/strerror.c b/lib/strerror.c
index 62ccfe9a0645d9c02718035f1f5acfa1912223d5..3e466c688ba7dc077d6094fb077e58a21f389461 100644 (file)
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -227,6 +227,9 @@ curl_easy_strerror(CURLcode error)
     return "couldn't use specified SSL cipher";
 
   case CURLE_SSL_CACERT:
+    return "peer certificate cannot be authenticated with known CA certificates";
+
+  case CURLE_SSL_CACERT_BADFILE:
     return "problem with the SSL CA cert (path? access rights?)";
 
   case CURLE_BAD_CONTENT_ENCODING:

diff --git a/tests/data/test305 b/tests/data/test305
index f814225b96f061aaaffba0f774ec76c5110a5d7a..0e01ea2e94f22c31d69c9fd3ed61a11f0f3c02e9 100644 (file)
--- a/tests/data/test305
+++ b/tests/data/test305
@@ -28,6 +28,6 @@ https://%HOSTIP:%HTTPSPORT/want/305 --cacert moooo
 <protocol>
 </protocol>
 <errorcode>
-60
+77
 </errorcode>
 </verify>