Mercurial > dovecot > original-hg > dovecot-1.2
changeset 8224:7ac86b33ad64 HEAD
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sun, 05 Oct 2008 00:33:05 +0300 |
parents | 66ecd60b7ea2 |
children | fe97a84145f9 |
files | src/login-common/ssl-proxy-openssl.c |
diffstat | 1 files changed, 34 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/login-common/ssl-proxy-openssl.c Sun Oct 05 00:06:56 2008 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Sun Oct 05 00:33:05 2008 +0300 @@ -711,12 +711,31 @@ p_free(system_clean_pool, ptr); } +static bool is_pem_key_file(const char *path) +{ + char buf[4096]; + int fd, ret; + + /* this code is used only for giving a better error message, + so it needs to catch only the normal key files */ + fd = open(path, O_RDONLY); + if (fd == -1) + return FALSE; + ret = read(fd, buf, sizeof(buf)-1); + close(fd); + if (ret <= 0) + return FALSE; + buf[ret] = '\0'; + return strstr(buf, "PRIVATE KEY---") != NULL; +} + void ssl_proxy_init(void) { static char dovecot[] = "dovecot"; const char *cafile, *certfile, *keyfile, *cipher_list, *username_field; char *password; unsigned char buf; + unsigned long err; memset(&ssl_params, 0, sizeof(ssl_params)); @@ -759,8 +778,21 @@ } if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) { - i_fatal("Can't load certificate file %s: %s", - certfile, ssl_last_error()); + err = ERR_peek_error(); + if (ERR_GET_LIB(err) != ERR_LIB_PEM || + ERR_GET_REASON(err) != PEM_R_NO_START_LINE) { + i_fatal("Can't load certificate file %s: %s", + certfile, ssl_last_error()); + } else if (is_pem_key_file(certfile)) { + i_fatal("Can't load certificate file %s: " + "The file contains a private key " + "(you've mixed ssl_cert_file and ssl_key_file settings)", + certfile); + } else { + i_fatal("Can't load certificate file %s: " + "The file doesn't contain a certificate.", + certfile); + } } SSL_CTX_set_default_passwd_cb(ssl_ctx, pem_password_callback);