Description: Make use of gnutls_certificate_verification_status_print instead of only checking a selection of verification errors. Author: Andreas Metzler Origin: vendor Bug: Bug-Debian: https://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: Reviewed-By: Last-Update: --- a/WWW/Library/Implementation/HTTP.c +++ b/WWW/Library/Implementation/HTTP.c @@ -782,23 +782,22 @@ static int HTLoadHTTP(const char *arg, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status); - if (ret < 0 || (ret == 0 && - tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) { - int flag_continue = 1; - char *msg2; + if (ret < 0 || tls_status != 0) { + int flag_continue = 1, type; + gnutls_datum_t out; - if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) { - msg2 = gettext("the certificate has no known issuer"); - } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) { - msg2 = gettext("no issuer was found"); - } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_CA) { - msg2 = gettext("issuer is not a CA"); - } else if (tls_status & GNUTLS_CERT_REVOKED) { - msg2 = gettext("the certificate has been revoked"); - } else { - msg2 = gettext("the certificate is not trusted"); + if (ret < 0) { + HTSprintf0(&msg, SSL_FORCED_PROMPT, gettext( + "GnuTLS error when trying to verify certificate.")); + } + else + { + type = gnutls_certificate_type_get(handle->gnutls_state); + ret = gnutls_certificate_verification_status_print (tls_status, + type, &out, 0); + HTSprintf0(&msg, SSL_FORCED_PROMPT, out.data); + gnutls_free(out.data); } - HTSprintf0(&msg, SSL_FORCED_PROMPT, msg2); CTRACE((tfp, "HTLoadHTTP: %s\n", msg)); if (!ssl_noprompt) { if (!HTForcedPrompt(ssl_noprompt, msg, YES)) {