Auto merge of #11932 - jdm:servoorg-cert, r=asajeffrey

Print out useful SSL-related information on SSL error page. Make certificate error pages more useful. Attempt to identify known cases where upgrading OpenSSL would be useful. <img width="553" alt="screen shot 2016-06-29 at 12 29 30 pm" src="https://cloud.githubusercontent.com/assets/27658/16460435/4d07d5e2-3df5-11e6-94ab-cf061c0e64cc.png"> --- - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors  --- This change is [<img src="https://reviewable.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/11932)
2025-08-11 00:15:32 +01:00 · 2016-06-29 16:47:57 -05:00 · 2016-06-29 16:47:57 -05:00 · 305eda66dd
commit 305eda66dd
parent dcc4697dde 8422dac811
5 changed files with 46 additions and 12 deletions
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@ -33,6 +33,7 @@ use net_traits::hosts::replace_hosts;
 use net_traits::response::HttpsState;
 use net_traits::{CookieSource, IncludeSubdomains, LoadConsumer, LoadContext, LoadData};
 use net_traits::{Metadata, NetworkError, RequestSource, CustomResponse};
+use openssl;
 use openssl::ssl::error::{SslError, OpensslError};
 use profile_traits::time::{ProfilerCategory, profile, ProfilerChan, TimerMetadata};
 use profile_traits::time::{TimerMetadataReflowType, TimerMetadataFrameType};
@ -143,8 +144,8 @@ fn load_for_consumer(load_data: LoadData,
        Err(error) => {
            match error.error {
                LoadErrorType::ConnectionAborted { .. } => unreachable!(),
-                LoadErrorType::Ssl { .. } => send_error(error.url.clone(),
-                                                        NetworkError::SslValidation(error.url),
+                LoadErrorType::Ssl { reason } => send_error(error.url.clone(),
+                                                        NetworkError::SslValidation(error.url, reason),
                                                        start_chan),
                LoadErrorType::Cancelled => send_error(error.url, NetworkError::LoadCancelled, start_chan),
                _ => send_error(error.url, NetworkError::Internal(error.error.description().to_owned()), start_chan)
@ -259,8 +260,21 @@ impl HttpRequestFactory for NetworkHttpRequestFactory {
            let error: &(Error + Send + 'static) = &**error;
            if let Some(&SslError::OpenSslErrors(ref errors)) = error.downcast_ref::<SslError>() {
                if errors.iter().any(is_cert_verify_error) {
-                    let msg = format!("ssl error: {:?} {:?}", error.description(), error.cause());
-                    return Err(LoadError::new(url, LoadErrorType::Ssl { reason: msg }));
+                    let mut error_report = vec![format!("ssl error ({}):", openssl::version::version())];
+                    let mut suggestion = None;
+                    for err in errors {
+                        if is_unknown_message_digest_err(err) {
+                            suggestion = Some("<b>Servo recommends upgrading to a newer OpenSSL version.</b>");
+                        }
+                        error_report.push(format_ssl_error(err));
+                    }
+
+                    if let Some(suggestion) = suggestion {
+                        error_report.push(suggestion.to_owned());
+                    }
+
+                    let error_report = error_report.join("<br>\n");
+                    return Err(LoadError::new(url, LoadErrorType::Ssl { reason: error_report }));
                }
            }
        }
@ -1126,6 +1140,24 @@ fn is_cert_verify_error(error: &OpensslError) -> bool {
    }
 }

+fn is_unknown_message_digest_err(error: &OpensslError) -> bool {
+    match error {
+        &OpensslError::UnknownError { ref library, ref function, ref reason } => {
+            library == "asn1 encoding routines" &&
+            function == "ASN1_item_verify" &&
+            reason == "unknown message digest algorithm"
+        }
+    }
+}
+
+fn format_ssl_error(error: &OpensslError) -> String {
+    match error {
+        &OpensslError::UnknownError { ref library, ref function, ref reason } => {
+            format!("{}: {} - {}", library, function, reason)
+        }
+    }
+}
+
 fn to_resource_type(context: &LoadContext) -> ResourceType {
    match *context {
        LoadContext::Browsing => ResourceType::Document,
--- a/components/net/resource_thread.rs
+++ b/components/net/resource_thread.rs
@ -158,8 +158,8 @@ fn start_sending_opt(start_chan: LoadConsumer, metadata: Metadata,
        }
        LoadConsumer::Listener(target) => {
            match network_error {
-                Some(NetworkError::SslValidation(url)) => {
-                    let error = NetworkError::SslValidation(url);
+                Some(NetworkError::SslValidation(url, reason)) => {
+                    let error = NetworkError::SslValidation(url, reason);
                    target.invoke_with_listener(ResponseAction::HeadersAvailable(Err(error)));
                }
                _ => target.invoke_with_listener(ResponseAction::HeadersAvailable(Ok(metadata))),