Merge branch 'mbedtls-3.6-restricted' into mbedtls-3.6.1rc0-pr

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2025-07-29 11:41:15 +03:00 · 2024-08-28 20:48:27 +01:00
parent 72064b202e 8b8228ce2e
commit 9f10979853
17 changed files with 795 additions and 540 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -2223,7 +2223,9 @@ usage:
            ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
            mbedtls_printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n",
                           (unsigned int) -ret);
-            if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+            if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+                ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
                mbedtls_printf(
                    "    Unable to verify the server's certificate. "
                    "Either it is invalid,\n"
@ -2234,7 +2236,13 @@ usage:
                    "not using TLS 1.3.\n"
                    "    For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`"
                    "or other folder that has root certificates\n");
+
+                flags = mbedtls_ssl_get_verify_result(&ssl);
+                char vrfy_buf[512];
+                x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
+                mbedtls_printf("%s\n", vrfy_buf);
            }
+#endif
            mbedtls_printf("\n");
            goto exit;
        }
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -3513,7 +3513,8 @@ handshake:
                       (unsigned int) -ret);

 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
-        if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+        if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+            ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
            char vrfy_buf[512];
            flags = mbedtls_ssl_get_verify_result(&ssl);