diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp index 01227a35..098f2840 100644 --- a/openvpn/openssl/ssl/sslctx.hpp +++ b/openvpn/openssl/ssl/sslctx.hpp @@ -1976,6 +1976,7 @@ class OpenSSLContext : public SSLFactoryAPI self_ssl->authcert->add_fail(depth, AuthCert::Fail::BAD_CERT_TYPE, "bad peer-fingerprint in leaf certificate"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_SIGNATURE_FAILURE); preverify_ok = false; } @@ -1987,6 +1988,7 @@ class OpenSSLContext : public SSLFactoryAPI self_ssl->authcert->add_fail(depth, AuthCert::Fail::BAD_CERT_TYPE, "bad ns-cert-type in leaf certificate"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE); preverify_ok = false; } @@ -1998,6 +2000,7 @@ class OpenSSLContext : public SSLFactoryAPI self_ssl->authcert->add_fail(depth, AuthCert::Fail::BAD_CERT_TYPE, "bad X509 key usage in leaf certificate"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE); preverify_ok = false; } @@ -2009,6 +2012,7 @@ class OpenSSLContext : public SSLFactoryAPI self_ssl->authcert->add_fail(depth, AuthCert::Fail::BAD_CERT_TYPE, "bad X509 extended key usage in leaf certificate"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE); preverify_ok = false; } @@ -2023,12 +2027,14 @@ class OpenSSLContext : public SSLFactoryAPI if (self->config->cn_reject_handler->reject(cn)) { OVPN_LOG_INFO("VERIFY FAIL -- early rejection of leaf cert Common Name"); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED); preverify_ok = false; } } catch (const std::exception &e) { OVPN_LOG_INFO("VERIFY FAIL -- early rejection of leaf cert Common Name due to handler exception: " << e.what()); + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED); preverify_ok = false; } }