From 9e1c99f8009f056c39a7465b91912c136b248e8f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 19 May 2014 09:48:42 +0200 Subject: [PATCH] dirmngr: Print certificates on failed TLS verification. * dirmngr/ks-engine-hkp.c (cert_log_cb): New. (send_request): Set callback. -- We use the KSBA functions here because we have them anyway in Dirmngr. --- dirmngr/ks-engine-hkp.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c index 3c25953d2..0f0baab6b 100644 --- a/dirmngr/ks-engine-hkp.c +++ b/dirmngr/ks-engine-hkp.c @@ -873,6 +873,40 @@ ks_hkp_housekeeping (time_t curtime) } +/* Callback to print infos about the TLS certificates. */ +static void +cert_log_cb (http_session_t sess, gpg_error_t err, + const char *hostname, const void **certs, size_t *certlens) +{ + ksba_cert_t cert; + size_t n; + + (void)sess; + + if (!err) + return; /* No error - no need to log anything */ + + log_debug ("expected hostname: %s\n", hostname); + for (n=0; certs[n]; n++) + { + err = ksba_cert_new (&cert); + if (!err) + err = ksba_cert_init_from_mem (cert, certs[n], certlens[n]); + if (err) + log_error ("error parsing cert for logging: %s\n", gpg_strerror (err)); + else + { + char textbuf[20]; + snprintf (textbuf, sizeof textbuf, "server[%u]", (unsigned int)n); + dump_cert (textbuf, cert); + } + + ksba_cert_release (cert); + } +} + + + /* Send an HTTP request. On success returns an estream object at R_FP. HOSTPORTSTR is only used for diagnostics. If HTTPHOST is not NULL it will be used as HTTP "Host" header. If POST_CB is not @@ -896,6 +930,7 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr, err = http_session_new (&session, NULL); if (err) goto leave; + http_session_set_log_cb (session, cert_log_cb); once_more: err = http_open (&http,