diff options
author | Selva Nair | 2023-10-01 13:49:20 -0400 |
---|---|---|
committer | Gert Doering | 2023-10-02 10:13:04 +0200 |
commit | ebfa5f3811e92863a3bbcc53b7a3f1b29dff1bc1 (patch) | |
tree | 87c899121542b049326c067327ffe28bc0aa97fc /src/openvpn/pkcs11_openssl.c | |
parent | f04ce77e8da54b6dbf3e016506b7ffdba0713004 (diff) | |
download | openvpn-ebfa5f3811e92863a3bbcc53b7a3f1b29dff1bc1.zip openvpn-ebfa5f3811e92863a3bbcc53b7a3f1b29dff1bc1.tar.gz |
Log OpenSSL errors on failure to set certificate
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.
Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.
Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27122.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2671dcb69837ae58b3303f11c1b6ba4cee8eea00)
Diffstat (limited to 'src/openvpn/pkcs11_openssl.c')
-rw-r--r-- | src/openvpn/pkcs11_openssl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c index 40080ef..aa0819f 100644 --- a/src/openvpn/pkcs11_openssl.c +++ b/src/openvpn/pkcs11_openssl.c @@ -302,7 +302,8 @@ xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate, if (!SSL_CTX_use_cert_and_key(ctx->ctx, x509, pkey, NULL, 0)) { - msg(M_WARN, "PKCS#11: Failed to set cert and private key for OpenSSL"); + crypto_print_openssl_errors(M_WARN); + msg(M_FATAL, "PKCS#11: Failed to set cert and private key for OpenSSL"); goto cleanup; } ret = 1; @@ -369,7 +370,8 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate, if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509)) { - msg(M_WARN, "PKCS#11: Cannot set certificate for openssl"); + crypto_print_openssl_errors(M_WARN); + msg(M_FATAL, "PKCS#11: Cannot set certificate for openssl"); goto cleanup; } ret = 0; |