diff -Naur libreswan-3.25-orig/programs/pluto/nss_cert_verify.c libreswan-3.25/programs/pluto/nss_cert_verify.c --- libreswan-3.25-orig/programs/pluto/nss_cert_verify.c 2019-02-23 21:15:03.910589319 -0500 +++ libreswan-3.25/programs/pluto/nss_cert_verify.c 2019-02-23 21:42:05.955565629 -0500 @@ -121,7 +121,7 @@ return FALSE; } -static int nss_err_to_revfail(CERTVerifyLogNode *node) +static int nss_err_to_revfail(char *prefix, CERTVerifyLogNode *node) { int ret = VERIFY_RET_FAIL; @@ -131,7 +131,7 @@ loglog(RC_LOG_SERIOUS, "Certificate %s failed verification", node->cert->subjectName); - loglog(RC_LOG_SERIOUS, "ERROR: %s", + loglog(RC_LOG_SERIOUS, "%s: %s", prefix, nss_err_str(node->error)); if (node->error == SEC_ERROR_REVOKED_CERTIFICATE) { @@ -298,18 +298,18 @@ cvout[1].value.pointer.chain = NULL; cvout[2].type = cert_po_end; - int fin; + int fin = VERIFY_RET_FAIL; #ifdef NSS_IPSEC_PROFILE SECStatus rv = CERT_PKIXVerifyCert(end_cert, certificateUsageIPsec, cvin, cvout, NULL); if (rv != SECSuccess || cur_log->count > 0) { if (cur_log->count > 0 && cur_log->head != NULL) { - fin = nss_err_to_revfail(cur_log->head); + fin = nss_err_to_revfail("warning", cur_log->head); } else { /* * An rv != SECSuccess without CERTVerifyLog - * results should not * happen, but catch it anyway + * results should not happen, but catch it anyway */ loglog(RC_LOG_SERIOUS, "X509: unspecified NSS verification failure"); fin = VERIFY_RET_FAIL; @@ -319,7 +319,11 @@ *end_out = end_cert; fin = VERIFY_RET_OK; } -#else +#endif + + if (fin != VERIFY_RET_OK) + { + /* kludge alert!! * verification may be performed twice: once with the * 'client' usage and once with 'server', which is an NSS @@ -348,7 +352,8 @@ cvout[1].value.pointer.chain = NULL; continue; } else { - fin = nss_err_to_revfail(cur_log->head); + fin = nss_err_to_revfail("ERROR", cur_log->head); + loglog(RC_LOG_SERIOUS, "X509: verification failure using NSS TLS profile validation"); } } else { /* @@ -365,7 +370,9 @@ } break; } -#endif + + } + pexpect(fin != 0); CERT_DestroyCertList(trustcl);