gnutls: Report actual GnuTLS error message for certificate errors

If GnuTLS fails to read the certificate then include whatever reason it provides in the failure message reported to the client. Signed-off-by: Mike Crowe <mac@mcrowe.com>
curl · Sep 23, 2015 · 5f87906 · 5f87906
1 parent 684bf30
commit 5f87906
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
@@ -663,17 +663,18 @@ gtls_connect_step1(struct connectdata *conn,
         GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
         GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
         GNUTLS_PKCS_USE_PBES2_AES_256;
-      if(gnutls_certificate_set_x509_key_file2(
+      rc = gnutls_certificate_set_x509_key_file2(
            conn->ssl[sockindex].cred,
            data->set.str[STRING_CERT],
            data->set.str[STRING_KEY] ?
            data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
            do_file_type(data->set.str[STRING_CERT_TYPE]),
            data->set.str[STRING_KEY_PASSWD],
-           supported_key_encryption_algorithms) !=
-         GNUTLS_E_SUCCESS) {
+           supported_key_encryption_algorithms);
+      if(rc != GNUTLS_E_SUCCESS) {
         failf(data,
-              "error reading X.509 potentially-encrypted key file");
+              "error reading X.509 potentially-encrypted key file: %s",
+              gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
 #else
         failf(data, "gnutls lacks support for encrypted key files");
@@ -682,14 +683,15 @@ gtls_connect_step1(struct connectdata *conn,
       }
     }
     else {
-      if(gnutls_certificate_set_x509_key_file(
+      rc = gnutls_certificate_set_x509_key_file(
            conn->ssl[sockindex].cred,
            data->set.str[STRING_CERT],
            data->set.str[STRING_KEY] ?
            data->set.str[STRING_KEY] : data->set.str[STRING_CERT],
-           do_file_type(data->set.str[STRING_CERT_TYPE]) ) !=
-         GNUTLS_E_SUCCESS) {
-        failf(data, "error reading X.509 key or certificate file");
+           do_file_type(data->set.str[STRING_CERT_TYPE]) );
+      if(rc != GNUTLS_E_SUCCESS) {
+        failf(data, "error reading X.509 key or certificate file: %s",
+              gnutls_strerror(rc));
         return CURLE_SSL_CONNECT_ERROR;
       }
     }