TLS DNS: fix certificate verification error message reporting

This commit fixes TLS DNS verification error message reporting which we probably broke during one of the recent networking code refactorings. This prevent e.g. dig from producing useful error messages related to TLS certificates verification.
2025-08-28 21:17:54 +00:00 · 2022-10-11 21:00:04 +03:00 · 2022-10-11 21:00:04 +03:00 · eaebb92f3e
commit eaebb92f3e
parent 6789b88d25
2 changed files with 15 additions and 1 deletions
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@ -891,6 +891,7 @@ struct isc_nmsocket {
 		/* List of active send requests. */
 		isc__nm_uvreq_t *pending_req;
 		bool alpn_negotiated;
+		const char *tls_verify_errmsg;
 	} tls;

 #if HAVE_LIBNGHTTP2
--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@ -872,6 +872,12 @@ isc__nm_tlsdns_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result,
 		sock->tls.pending_req = NULL;

 		if (peer_verification_has_failed(sock)) {
+			/*
+			 * Save error message as 'sock->tls' will get detached.
+			 */
+			sock->tls.tls_verify_errmsg =
+				isc_tls_verify_peer_result_string(
+					sock->tls.tls);
 			failure_result = ISC_R_TLSBADPEERCERT;
 		}
 		isc__nm_failed_connect_cb(sock, req, failure_result, async);
@ -2082,6 +2088,13 @@ isc__nm_tlsdns_shutdown(isc_nmsocket_t *sock) {
 			sock->tls.pending_req = NULL;

 			if (peer_verification_has_failed(sock)) {
+				/*
+				 * Save error message as 'sock->tls' will get
+				 * detached.
+				 */
+				sock->tls.tls_verify_errmsg =
+					isc_tls_verify_peer_result_string(
+						sock->tls.tls);
 				result = ISC_R_TLSBADPEERCERT;
 			}
 			isc__nm_failed_connect_cb(sock, req, result, false);
@ -2174,7 +2187,7 @@ isc__nm_tlsdns_verify_tls_peer_result_string(const isc_nmhandle_t *handle) {

 	sock = handle->sock;
 	if (sock->tls.tls == NULL) {
-		return (NULL);
+		return (sock->tls.tls_verify_errmsg);
 	}

 	return (isc_tls_verify_peer_result_string(sock->tls.tls));