From a8a2cd01647cc05d31d02e0cd816ce239caa0680 Mon Sep 17 00:00:00 2001
From: Stefan Fritsch <sf@apache.org>
Date: Sat, 23 Oct 2010 22:17:44 +0000
Subject: [PATCH] Improve error message if client cert verification fails

PR: 50093
Submitted by: Lassi Tuura <lat cern ch>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1026703 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                       | 5 +++--
 modules/ssl/ssl_engine_vars.c | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9e925d38ed..4c6bb5455b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,8 +24,9 @@ Changes with Apache 2.3.9
      interfering with authentication/authorization. [Paul Querna,
      Igor Galić, Stefan Fritsch]
 
-  *) mod_ssl: Log certificate information if client cert verification
-     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+  *) mod_ssl: Log certificate information and improve error message if client
+     cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
+     Stefan Fritsch]
 
   *) htcacheclean: Teach htcacheclean to limit cache size by number of
      inodes in addition to size of files. Prevents a cache disk from
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 5e14ff5da0..62127fff2d 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -623,7 +623,8 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c)
         result = "GENEROUS";
     else
         /* client verification failed */
-        result = apr_psprintf(p, "FAILED:%s", verr);
+        result = apr_psprintf(p, "FAILED:%s",
+                              verr ? verr : X509_verify_cert_error_string(vrc));
 
     if (xs)
         X509_free(xs);
-- 
2.40.0