aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-06-11 22:23:23 (GMT)
committerJouni Malinen <jouni@codeaurora.org>2019-06-14 20:10:50 (GMT)
commit3539738cf54b9505b3131ecfc873128beb32166c (patch)
tree04b8348a10c95f48888d83a6f4e0bac58ebab332
parent1363fdb283e2ca6c6aed982ad720be09279e09d4 (diff)
downloadhostap-3539738cf54b9505b3131ecfc873128beb32166c.zip
hostap-3539738cf54b9505b3131ecfc873128beb32166c.tar.gz
hostap-3539738cf54b9505b3131ecfc873128beb32166c.tar.bz2
OpenSSL: Report peer certificate before stopping due to validation issue
This is needed to allow upper layer software to learn the hash of the server certificate for allowing user to override trust root configuration. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/crypto/tls_openssl.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 9980f03..3c142d3 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2375,6 +2375,8 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
}
#endif /* CONFIG_SHA256 */
+ openssl_tls_cert_event(conn, err_cert, depth, buf);
+
if (!preverify_ok) {
wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
" error %d (%s) depth %d for '%s'", err, err_str,
@@ -2431,8 +2433,7 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
openssl_tls_fail_event(conn, err_cert, err, depth, buf,
"Domain mismatch",
TLS_FAIL_DOMAIN_MISMATCH);
- } else
- openssl_tls_cert_event(conn, err_cert, depth, buf);
+ }
if (conn->cert_probe && preverify_ok && depth == 0) {
wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "