From aee82efe45ccdaa9c5ddd4bf0bf7da757822713d Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 27 Jul 2021 14:49:28 -0600 Subject: [PATCH] Display the correct error message if X509_verify_cert() fails. We must use X509_STORE_CTX_get_error() and X509_verify_cert_error_string() instead of the generic OpenSSL error functions. --- logsrvd/tls_init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/logsrvd/tls_init.c b/logsrvd/tls_init.c index 5f1ba14aa..5b9e47702 100644 --- a/logsrvd/tls_init.c +++ b/logsrvd/tls_init.c @@ -90,7 +90,8 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file) } if (X509_verify_cert(store_ctx) <= 0) { - errstr = ERR_reason_error_string(ERR_get_error()); + errstr = + X509_verify_cert_error_string(X509_STORE_CTX_get_error(store_ctx)); sudo_warnx("X509_verify_cert: %s", errstr); goto done; }