dovecot-1.2: Log a better error message if ssl_cert_file doesn't...
dovecot at dovecot.org
dovecot at dovecot.org
Sun Oct 5 00:33:08 EEST 2008
details: http://hg.dovecot.org/dovecot-1.2/rev/7ac86b33ad64
changeset: 8224:7ac86b33ad64
user: Timo Sirainen <tss at iki.fi>
date: Sun Oct 05 00:33:05 2008 +0300
description:
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
diffstat:
1 file changed, 34 insertions(+), 2 deletions(-)
src/login-common/ssl-proxy-openssl.c | 36 ++++++++++++++++++++++++++++++++--
diffs (59 lines):
diff -r 66ecd60b7ea2 -r 7ac86b33ad64 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Sun Oct 05 00:06:56 2008 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Sun Oct 05 00:33:05 2008 +0300
@@ -711,12 +711,31 @@ static void ssl_clean_free(void *ptr)
p_free(system_clean_pool, ptr);
}
+static bool is_pem_key_file(const char *path)
+{
+ char buf[4096];
+ int fd, ret;
+
+ /* this code is used only for giving a better error message,
+ so it needs to catch only the normal key files */
+ fd = open(path, O_RDONLY);
+ if (fd == -1)
+ return FALSE;
+ ret = read(fd, buf, sizeof(buf)-1);
+ close(fd);
+ if (ret <= 0)
+ return FALSE;
+ buf[ret] = '\0';
+ return strstr(buf, "PRIVATE KEY---") != NULL;
+}
+
void ssl_proxy_init(void)
{
static char dovecot[] = "dovecot";
const char *cafile, *certfile, *keyfile, *cipher_list, *username_field;
char *password;
unsigned char buf;
+ unsigned long err;
memset(&ssl_params, 0, sizeof(ssl_params));
@@ -759,8 +778,21 @@ void ssl_proxy_init(void)
}
if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
- i_fatal("Can't load certificate file %s: %s",
- certfile, ssl_last_error());
+ err = ERR_peek_error();
+ if (ERR_GET_LIB(err) != ERR_LIB_PEM ||
+ ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
+ i_fatal("Can't load certificate file %s: %s",
+ certfile, ssl_last_error());
+ } else if (is_pem_key_file(certfile)) {
+ i_fatal("Can't load certificate file %s: "
+ "The file contains a private key "
+ "(you've mixed ssl_cert_file and ssl_key_file settings)",
+ certfile);
+ } else {
+ i_fatal("Can't load certificate file %s: "
+ "The file doesn't contain a certificate.",
+ certfile);
+ }
}
SSL_CTX_set_default_passwd_cb(ssl_ctx, pem_password_callback);
More information about the dovecot-cvs
mailing list