commit 0f17ab2fdd83ff4f58151a44a8fe1bc22e5b9c18
author William Lallemand <wlallemand@haproxy.org> Tue Jul 19 18:03:16 2022 +0200
committer William Lallemand <wlallemand@haproxy.org> Tue Jul 19 19:13:08 2022 +0200
tree b8793787eeb4af18a54b7c5cc26e4e2a8cdae824
parent 3b8bafd4a74519c914e47845ec11700202475f2a

MINOR: ssl: enhance ca-file error emitting

Enhance the errors and warnings when trying to load a ca-file with
ssl_store_load_locations_file().

Add errors from ERR_get_error() and strerror to give more information to
the user.

src/ssl_ckch.c

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index b0bd7bd..0992240 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1152,6 +1152,11 @@
 	return retval;
 }
 
+/*
+ * Try to load a ca-file from disk into the ca-file cache.
+ *
+ *  Return 0 upon error
+ */
 int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
 {
 	X509_STORE *store = ssl_store_get0_locations_file(path);
@@ -1166,16 +1171,27 @@
 		struct cafile_entry *ca_e;
 		const char *file = NULL;
 		const char *dir = NULL;
+		unsigned long e;
 
 		store = X509_STORE_new();
+		if (!store) {
+			ha_alert("Cannot allocate memory!");
+			goto err;
+		}
 
 		if (strcmp(path, "@system-ca") == 0) {
 			dir = X509_get_default_cert_dir();
+			if (!dir) {
+				ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().");
+				goto err;
+			}
 
 		} else {
 
-			if (stat(path, &buf))
+			if (stat(path, &buf) == -1) {
+				ha_alert("Couldn't open the ca-file '%s' (%s).", path, strerror(errno));
 				goto err;
+			}
 
 			if (S_ISDIR(buf.st_mode))
 				dir = path;
@@ -1185,6 +1201,8 @@
 
 		if (file) {
 			if (!X509_STORE_load_locations(store, file, NULL)) {
+				e = ERR_get_error();
+				ha_alert("Couldn't open the ca-file '%s' (%s).", path, ERR_reason_error_string(e));
 				goto err;
 			}
 		} else if (dir) {
@@ -1244,10 +1262,12 @@
 				continue;
 
 scandir_err:
+				e = ERR_get_error();
 				X509_free(ca);
 				BIO_free(in);
 				free(de);
-				ha_warning("ca-file: '%s' couldn't load '%s'\n", path, trash.area);
+				/* warn if it can load one of the files, but don't abort */
+				ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
 
 			}
 			free(de_list);
@@ -1258,12 +1278,14 @@
 
 		objs = X509_STORE_get0_objects(store);
 		cert_count = sk_X509_OBJECT_num(objs);
-		if (cert_count == 0)
+		if (cert_count == 0) {
 			ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
-
+		}
 		ca_e = ssl_store_create_cafile_entry(path, store, type);
-		if (!ca_e)
+		if (!ca_e) {
+			ha_alert("Cannot allocate memory!\n");
 			goto err;
+		}
 		ebst_insert(&cafile_tree, &ca_e->node);
 	}
 	return (store != NULL);