diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 00b203cbfa..a2cc612f4b 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -1489,10 +1489,12 @@ open_client_SSL(PGconn *conn) { int r; + SOCK_ERRNO_SET(0); ERR_clear_error(); r = SSL_connect(conn->ssl); if (r <= 0) { + int save_errno = SOCK_ERRNO; int err = SSL_get_error(conn->ssl, r); unsigned long ecode; @@ -1508,10 +1510,22 @@ open_client_SSL(PGconn *conn) case SSL_ERROR_SYSCALL: { char sebuf[PG_STRERROR_R_BUFLEN]; - - if (r == -1) + unsigned long vcode; + + vcode = SSL_get_verify_result(conn->ssl); + + /* + * If we get an X509 error here without an error in the + * socket layer it means that verification failed without + * it being a protocol error. A common cause is trying to + * a default system CA which is missing or broken. + */ + if (!save_errno && vcode != X509_V_OK) + libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s", + X509_verify_cert_error_string(ecode)); + else if (r == -1) libpq_append_conn_error(conn, "SSL SYSCALL error: %s", - SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf))); + SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf))); else libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected"); pgtls_close(conn);