summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2017-05-15 17:36:37 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2017-05-21 13:51:05 +0100
commitf77197ae2013bdb19593195588dfe4ed6bf66d3b (patch)
tree26c108095674807fdb6b4e7b81a4c87870557909
parent6600985a2331eeaa8af525eb627edfe08b1a2e9c (diff)
OpenSSL: add sender_host_address info to certificate verify error log messages when in verify callout
-rw-r--r--src/src/tls-openssl.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 3aade3b9e..083826674 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -384,11 +384,13 @@ dn[sizeof(dn)-1] = '\0';
if (preverify_ok == 0)
{
- log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s",
- tlsp == &tls_out ? deliver_host_address : sender_host_address,
- depth,
- X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
- dn);
+ uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])",
+ *verify_mode, sender_host_address)
+ : US"";
+ log_write(0, LOG_MAIN, "[%s] SSL verify error%s: depth=%d error=%s cert=%s",
+ tlsp == &tls_out ? deliver_host_address : sender_host_address,
+ extra, depth,
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), dn);
*calledp = TRUE;
if (!*optionalp)
{
@@ -449,7 +451,7 @@ else
if (rc < 0)
{
log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
- deliver_host_address);
+ tlsp == &tls_out ? deliver_host_address : sender_host_address);
name = NULL;
}
break;
@@ -459,10 +461,14 @@ else
if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
#endif
{
+ uschar * extra = verify_mode
+ ? string_sprintf(" (during %c-verify for [%s])",
+ *verify_mode, sender_host_address)
+ : US"";
log_write(0, LOG_MAIN,
- "[%s] SSL verify error: certificate name mismatch: "
- "DN=\"%s\" H=\"%s\"",
- deliver_host_address, dn, verify_cert_hostnames);
+ "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
+ tlsp == &tls_out ? deliver_host_address : sender_host_address,
+ extra, dn, verify_cert_hostnames);
*calledp = TRUE;
if (!*optionalp)
{