TLS: in OpenSSL verify_callback_server(), set fine-grained alert erro…

…r codes For example, early rejection of common name will call X509_STORE_CTX_set_error with X509_V_ERR_CERT_REJECTED. This, in turn, will alert the client: EVENT: TLS_ALERT_MISC OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=0: error:14094412: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate[bad certificate] [FATAL-ERR] Signed-off-by: James Yonan <[email protected]>
OpenVPN · Jan 10, 2025 · cdd7852 · cdd7852
1 parent a96c32c
commit cdd7852
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
@@ -1976,6 +1976,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad peer-fingerprint in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_SIGNATURE_FAILURE);
                 preverify_ok = false;
             }
 
@@ -1987,6 +1988,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad ns-cert-type in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE);
                 preverify_ok = false;
             }
 
@@ -1998,6 +2000,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad X509 key usage in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE);
                 preverify_ok = false;
             }
 
@@ -2009,6 +2012,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad X509 extended key usage in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE);
                 preverify_ok = false;
             }
 
@@ -2023,12 +2027,14 @@ class OpenSSLContext : public SSLFactoryAPI
                     if (self->config->cn_reject_handler->reject(cn))
                     {
                         OVPN_LOG_INFO("VERIFY FAIL -- early rejection of leaf cert Common Name");
+                        X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
                         preverify_ok = false;
                     }
                 }
                 catch (const std::exception &e)
                 {
                     OVPN_LOG_INFO("VERIFY FAIL -- early rejection of leaf cert Common Name due to handler exception: " << e.what());
+                    X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
                     preverify_ok = false;
                 }
             }