Always print detailed cert errors in test programs

Previously the client was only printing them on handshake success, and the server was printing them on success and some but not all failures. This makes ssl-opt.sh more consistent as we can always check for the presence of the expected message in the output, regardless of whether the failure is hard or soft. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2026-03-20 19:21:09 +01:00 · 2024-08-08 10:56:41 +02:00
parent 4956e32538
commit 92a391e0fe
3 changed files with 21 additions and 8 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -2204,7 +2204,9 @@ usage:
            ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
            mbedtls_printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n",
                           (unsigned int) -ret);
-            if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+            if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+                ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
                mbedtls_printf(
                    "    Unable to verify the server's certificate. "
                    "Either it is invalid,\n"
@@ -2215,7 +2217,13 @@ usage:
                    "not using TLS 1.3.\n"
                    "    For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`"
                    "or other folder that has root certificates\n");
+
+                flags = mbedtls_ssl_get_verify_result(&ssl);
+                char vrfy_buf[512];
+                x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
+                mbedtls_printf("%s\n", vrfy_buf);
            }
+#endif
            mbedtls_printf("\n");
            goto exit;
        }