Better log about server certificate validation at client side.

eclipse-leshan · Sep 15, 2020 · 74d9ed3 · 74d9ed3
1 parent df08289
commit 74d9ed3
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/...t-cf/src/main/java/org/eclipse/leshan/client/californium/CaliforniumEndpointsManager.java b/...t-cf/src/main/java/org/eclipse/leshan/client/californium/CaliforniumEndpointsManager.java
@@ -141,15 +141,18 @@ public void verifyCertificate(CertificateMessage message, DTLSSession session)
                         if (message.getCertificateChain().getCertificates().size() == 0) {
                             AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE,
                                     session.getPeer());
-                            throw new HandshakeException("Certificate chain could not be validated", alert);
+                            throw new HandshakeException(
+                                    "Certificate chain could not be validated : server cert chain is empty", alert);
                         }
                         Certificate receivedServerCertificate = message.getCertificateChain().getCertificates().get(0);
 
                         // Validate certificate
                         if (!expectedServerCertificate.equals(receivedServerCertificate)) {
                             AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE,
                                     session.getPeer());
-                            throw new HandshakeException("Certificate chain could not be validated", alert);
+                            throw new HandshakeException(
+                                    "Certificate chain could not be validated: server certificate does not match expected one ('domain-issue certificate' usage)",
+                                    alert);
                         }
                     }