1 files changed, 13 insertions, 26 deletions

diff --git a/src/ne_gnutls.c b/src/ne_gnutls.c
index 1f1be93..3e0495f 100644
--- a/src/ne_gnutls.c
+++ b/src/ne_gnutls.c
@@ -325,27 +325,6 @@ void ne_ssl_cert_validity_time(const ne_ssl_certificate *cert,
     }
 }
 
-/* Return non-zero if hostname from certificate (cn) matches hostname
- * used for session (hostname).  (Wildcard matching is no longer
- * mandated by RFC3280, but certs are deployed which use wildcards) */
-static int match_hostname(char *cn, const char *hostname)
-{
-    const char *dot;
-    dot = strchr(hostname, '.');
-    if (dot == NULL) {
-	char *pnt = strchr(cn, '.');
-	/* hostname is not fully-qualified; unqualify the cn. */
-	if (pnt != NULL) {
-	    *pnt = '\0';
-	}
-    }
-    else if (strncmp(cn, "*.", 2) == 0) {
-	hostname = dot + 1;
-	cn += 2;
-    }
-    return !ne_strcasecmp(cn, hostname);
-}
-
 /* Check certificate identity.  Returns zero if identity matches; 1 if
  * identity does not match, or <0 if the certificate had no identity.
  * If 'identity' is non-NULL, store the malloc-allocated identity in
@@ -371,7 +350,7 @@ static int check_identity(const ne_uri *server, gnutls_x509_crt cert,
         case GNUTLS_SAN_DNSNAME:
             name[len] = '\0';
             if (identity && !found) *identity = ne_strdup(name);
-            match = match_hostname(name, hostname);
+            match = ne__ssl_match_hostname(name, hostname);
             found = 1;
             break;
         case GNUTLS_SAN_IPADDRESS: {
@@ -440,7 +419,7 @@ static int check_identity(const ne_uri *server, gnutls_x509_crt cert,
                                                 seq, 0, name, &len);
             if (ret == 0) {
                 if (identity) *identity = ne_strdup(name);
-                match = match_hostname(name, hostname);
+                match = ne__ssl_match_hostname(name, hostname);
             }
         } else {
             return -1;
@@ -575,6 +554,7 @@ static int provide_client_cert(gnutls_session session,
         }
     } else {
         NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n");
+        sess->ssl_cc_requested = 1;
         return GNUTLS_E_NO_CERTIFICATE_FOUND;
     }
 
@@ -733,9 +713,16 @@ int ne__negotiate_ssl(ne_session *sess)
         sess->flags[NE_SESSFLAG_TLS_SNI] ? sess->server.hostname : NULL;
 
     if (ne_sock_connect_ssl(sess->socket, ctx, sess)) {
-	ne_set_error(sess, _("SSL negotiation failed: %s"),
-		     ne_sock_error(sess->socket));
-	return NE_ERROR;
+        if (sess->ssl_cc_requested) {
+            ne_set_error(sess, _("SSL negotiation failed, "
+                                 "client certificate was requested: %s"),
+                         ne_sock_error(sess->socket));
+        }
+        else {
+            ne_set_error(sess, _("SSL negotiation failed: %s"),
+                         ne_sock_error(sess->socket));
+        }
+        return NE_ERROR;
     }
 
     sock = ne__sock_sslsock(sess->socket);