From 642716a562ab217971d55581011b5050383df630 Mon Sep 17 00:00:00 2001
From: Jorge Niedbalski <jnr@metaklass.org>
Date: Tue, 29 Oct 2024 08:26:40 +0000
Subject: [PATCH] tls: include X509 error string when verify result is not
 x509_V_OK. (#9527)

Add the X509_verify_cert_error_string to the log message
when SSL verification result != X509_V_OK.

Signed-off-by: Jorge Niedbalski <jorge.niedbalski@chronosphere.io>
Co-authored-by: Jorge Niedbalski <jorge.niedbalski@chronosphere.io>
---
 src/tls/openssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/tls/openssl.c b/src/tls/openssl.c
index 38bba04e4f0..074dace6796 100644
--- a/src/tls/openssl.c
+++ b/src/tls/openssl.c
@@ -684,6 +684,7 @@ static int tls_net_handshake(struct flb_tls *tls,
     char err_buf[256];
     struct tls_session *session = ptr_session;
     struct tls_context *ctx;
+    const char *x509_err;
 
     ctx = session->parent;
     pthread_mutex_lock(&ctx->mutex);
@@ -743,8 +744,9 @@ static int tls_net_handshake(struct flb_tls *tls,
             if (ret == 0) {
                 ssl_code = SSL_get_verify_result(session->ssl);
                 if (ssl_code != X509_V_OK) {
-                    flb_error("[tls] error: unexpected EOF with reason: %s",
-                              ERR_reason_error_string(ERR_get_error()));
+                    /* Refer to: https://x509errors.org/ */
+                    x509_err = X509_verify_cert_error_string(ssl_code);
+                    flb_error("[tls] certificate verification failed, reason: %s (X509 code: %ld)", x509_err, ssl_code);
                 }
                 else {
                     flb_error("[tls] error: unexpected EOF");