- ? "CRL path validation" : "certificate verification",
- depth, cert_error,
- X509_verify_cert_error_string(cert_error));
- BIO_printf(bio, "failure for:\n");
- x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);
+ ? "CRL path validation"
+ : "Certificate verification",
+ X509_STORE_CTX_get_error_depth(ctx),
+ cert_error, X509_verify_cert_error_string(cert_error));
+ {
+ X509_STORE *ts = X509_STORE_CTX_get0_store(ctx);
+ X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
+ char *str;
+ int idx = 0;
+
+ switch (cert_error) {
+ case X509_V_ERR_HOSTNAME_MISMATCH:
+ BIO_printf(bio, "Expected hostname(s) = ");
+ while ((str = X509_VERIFY_PARAM_get0_host(vpm, idx++)) != NULL)
+ BIO_printf(bio, "%s%s", idx == 1 ? "" : ", ", str);
+ BIO_printf(bio, "\n");
+ break;
+ case X509_V_ERR_EMAIL_MISMATCH:
+ str = X509_VERIFY_PARAM_get0_email(vpm);
+ if (str != NULL)
+ BIO_printf(bio, "Expected email address = %s\n", str);
+ break;
+ case X509_V_ERR_IP_ADDRESS_MISMATCH:
+ str = X509_VERIFY_PARAM_get1_ip_asc(vpm);
+ if (str != NULL)
+ BIO_printf(bio, "Expected IP address = %s\n", str);
+ OPENSSL_free(str);
+ break;
+ default:
+ break;
+ }
+ }
+
+ BIO_printf(bio, "Failure for:\n");
+ x509_print_ex_brief(bio, X509_STORE_CTX_get_current_cert(ctx),
+ X509_FLAG_NO_EXTENSIONS);