Improve error message if client cert verification fails

PR: 50093
Submitted by: Lassi Tuura <lat cern ch>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1026703 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 9e925d38ed5e8177159bbbeb867f49b81bc56ce2..4c6bb5455b5724d02b0212be88f0f045cbd3f279 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -24,8 +24,9 @@ Changes with Apache 2.3.9
      interfering with authentication/authorization. [Paul Querna,
      Igor Galić, Stefan Fritsch]
 
-  *) mod_ssl: Log certificate information if client cert verification
-     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+  *) mod_ssl: Log certificate information and improve error message if client
+     cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
+     Stefan Fritsch]
 
   *) htcacheclean: Teach htcacheclean to limit cache size by number of
      inodes in addition to size of files. Prevents a cache disk from

diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 5e14ff5da01ca4e4859c4d0c3692febccf2a4186..62127fff2d1ffdde5733378769b3949ad9ef5deb 100644 (file)
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -623,7 +623,8 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c)
         result = "GENEROUS";
     else
         /* client verification failed */
-        result = apr_psprintf(p, "FAILED:%s", verr);
+        result = apr_psprintf(p, "FAILED:%s",
+                              verr ? verr : X509_verify_cert_error_string(vrc));
 
     if (xs)
         X509_free(xs);