From eaebb92f3e708f84d3c0e919cde900f0bb36c56c Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Tue, 11 Oct 2022 21:00:04 +0300
Subject: [PATCH] TLS DNS: fix certificate verification error message reporting

This commit fixes TLS DNS verification error message reporting which
we probably broke during one of the recent networking code
refactorings.

This prevent e.g. dig from producing useful error messages related to
TLS certificates verification.
---
 lib/isc/netmgr/netmgr-int.h |  1 +
 lib/isc/netmgr/tlsdns.c     | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 56d4792c2e..aa23797c49 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -891,6 +891,7 @@ struct isc_nmsocket {
 		/* List of active send requests. */
 		isc__nm_uvreq_t *pending_req;
 		bool alpn_negotiated;
+		const char *tls_verify_errmsg;
 	} tls;
 
 #if HAVE_LIBNGHTTP2
diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c
index 051dbf814f..7ec144941e 100644
--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@@ -872,6 +872,12 @@ isc__nm_tlsdns_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result,
 		sock->tls.pending_req = NULL;
 
 		if (peer_verification_has_failed(sock)) {
+			/*
+			 * Save error message as 'sock->tls' will get detached.
+			 */
+			sock->tls.tls_verify_errmsg =
+				isc_tls_verify_peer_result_string(
+					sock->tls.tls);
 			failure_result = ISC_R_TLSBADPEERCERT;
 		}
 		isc__nm_failed_connect_cb(sock, req, failure_result, async);
@@ -2082,6 +2088,13 @@ isc__nm_tlsdns_shutdown(isc_nmsocket_t *sock) {
 			sock->tls.pending_req = NULL;
 
 			if (peer_verification_has_failed(sock)) {
+				/*
+				 * Save error message as 'sock->tls' will get
+				 * detached.
+				 */
+				sock->tls.tls_verify_errmsg =
+					isc_tls_verify_peer_result_string(
+						sock->tls.tls);
 				result = ISC_R_TLSBADPEERCERT;
 			}
 			isc__nm_failed_connect_cb(sock, req, result, false);
@@ -2174,7 +2187,7 @@ isc__nm_tlsdns_verify_tls_peer_result_string(const isc_nmhandle_t *handle) {
 
 	sock = handle->sock;
 	if (sock->tls.tls == NULL) {
-		return (NULL);
+		return (sock->tls.tls_verify_errmsg);
 	}
 
 	return (isc_tls_verify_peer_result_string(sock->tls.tls));