tls: better error reporting at cert validation

fix #7417

Signed-off-by: Fedor Indutny <fedor@indutny.com>

1 files changed, 28 insertions, 2 deletions

diff --git a/lib/tls.js b/lib/tls.js
index 9345632353..b698cc11e9 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -113,7 +113,8 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
       uriNames = [],
       ips = [],
       matchCN = true,
-      valid = false;
+      valid = false,
+      reason = 'Unknown reason';
 
   // There're several names to perform check against:
   // CN and altnames in certificate extension
@@ -142,6 +143,11 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
     valid = ips.some(function(ip) {
       return ip === host;
     });
+    if (!valid) {
+      reason = util.format('IP: %s is not in the cert\'s list: %s',
+                           host,
+                           ips.join(', '));
+    }
   } else {
     // Transform hostname to canonical form
     if (!/\.$/.test(host)) host += '.';
@@ -183,9 +189,29 @@ exports.checkServerIdentity = function checkServerIdentity(host, cert) {
     valid = dnsNames.some(function(re) {
       return re.test(host);
     });
+
+    if (!valid) {
+      if (cert.subjectaltname) {
+        reason = util.format('Host: %s is not in the cert\'s altnames: %s',
+                             host,
+                             cert.subjectaltname);
+      } else {
+        reason = util.format('Host: %s is not cert\'s CN: %s',
+                             host,
+                             cert.subject.CN);
+      }
+    }
   }
 
-  return valid;
+  if (!valid) {
+    var err = new Error(
+      util.format('Hostname/IP doesn\'t match certificate\'s altnames: %j',
+                  reason));
+    err.reason = reason;
+    err.host = host;
+    err.cert = cert;
+    return err;
+  }
 };
 
 // Example: