Networking/Apps/wget/openssl.patch

   1 --- src/openssl.c       (revision 2008)
   2 +++ src/openssl.c       (working copy)
   3 @@ -509,19 +509,34 @@
   4    vresult = SSL_get_verify_result (conn);
   5    if (vresult != X509_V_OK)
   6      {
   7 -      /* #### We might want to print saner (and translatable) error
   8 -        messages for several frequently encountered errors.  The
   9 -        candidates would include
  10 -        X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
  11 -        X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
  12 -        X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
  13 -        X509_V_ERR_CERT_NOT_YET_VALID, X509_V_ERR_CERT_HAS_EXPIRED,
  14 -        and possibly others.  The current approach would still be
  15 -        used for the less frequent failure cases.  */
  16 +      char *issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0);
  17        logprintf (LOG_NOTQUIET,
  18 -                _("%s: Certificate verification error for %s: %s\n"),
  19 -                severity, escnonprint (host),
  20 -                X509_verify_cert_error_string (vresult));
  21 +                _("%s: cannot verify %s's certificate, issued by `%s':\n"),
  22 +                severity, escnonprint (host), escnonprint (issuer));
  23 +      /* Try to print more user-friendly (and translated) messages for
  24 +        the frequent verification errors.  */
  25 +      switch (vresult)
  26 +       {
  27 +       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
  28 +         logprintf (LOG_NOTQUIET,
  29 +                    _("  Unable to locally verify the issuer's authority.\n"));
  30 +         break;
  31 +       case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
  32 +       case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
  33 +         logprintf (LOG_NOTQUIET, _("  Self-signed certificate encountered.\n"));
  34 +         break;
  35 +       case X509_V_ERR_CERT_NOT_YET_VALID:
  36 +         logprintf (LOG_NOTQUIET, _("  Issued certificate not yet valid.\n"));
  37 +         break;
  38 +       case X509_V_ERR_CERT_HAS_EXPIRED:
  39 +         logprintf (LOG_NOTQUIET, _("  Issued certificate has expired.\n"));
  40 +         break;
  41 +       default:
  42 +         /* For the less frequent error strings, simply provide the
  43 +            OpenSSL error message.  */
  44 +         logprintf (LOG_NOTQUIET, "  %s\n",
  45 +                    X509_verify_cert_error_string (vresult));
  46 +       }
  47        success = 0;
  48        /* Fall through, so that the user is warned about *all* issues
  49          with the cert (important with --no-check-certificate.)  */