2 files changed, 41 insertions, 5 deletions

diff --git a/src/sp/transport/tls/tls_tran_test.c b/src/sp/transport/tls/tls_tran_test.c
index d1a118ec..c6889b23 100644
--- a/src/sp/transport/tls/tls_tran_test.c
+++ b/src/sp/transport/tls/tls_tran_test.c
@@ -55,7 +55,6 @@ test_tls_port_zero_bind(void)
 	nng_sockaddr    sa;
 	nng_listener    l;
 	nng_dialer      d;
-	char            addr[NNG_MAXADDRSTRLEN];
 	const nng_url  *url;
 
 	c1 = tls_server_config();
@@ -66,14 +65,12 @@ test_tls_port_zero_bind(void)
 	NUTS_PASS(nng_listener_set_tls(l, c1));
 	NUTS_PASS(nng_listener_start(l, 0));
 	NUTS_PASS(nng_listener_get_url(l, &url));
-	nng_url_sprintf(addr, sizeof(addr), url);
 	NUTS_MATCH(nng_url_scheme(url), "tls+tcp");
-	NUTS_TRUE(memcmp(addr, "tls+tcp://", 6) == 0);
 	NUTS_PASS(nng_listener_get_addr(l, NNG_OPT_LOCADDR, &sa));
 	NUTS_TRUE(sa.s_in.sa_family == NNG_AF_INET);
 	NUTS_TRUE(sa.s_in.sa_port != 0);
 	NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001));
-	NUTS_PASS(nng_dialer_create(&d, s2, addr));
+	NUTS_PASS(nng_dialer_create_url(&d, s2, url));
 	NUTS_PASS(nng_dialer_set_tls(d, c2));
 	NUTS_PASS(nng_dialer_start(d, 0));
 	NUTS_CLOSE(s2);
@@ -83,6 +80,44 @@ test_tls_port_zero_bind(void)
 }
 
 void
+test_tls_bad_cert_mutual(void)
+{
+	nng_socket      s1;
+	nng_socket      s2;
+	nng_tls_config *c1, *c2;
+	nng_sockaddr    sa;
+	nng_listener    l;
+	nng_dialer      d;
+	const nng_url  *url;
+
+	c1 = tls_server_config();
+	c2 = tls_client_config();
+
+	NUTS_ENABLE_LOG(NNG_LOG_DEBUG);
+	NUTS_OPEN(s1);
+	NUTS_OPEN(s2);
+	NUTS_PASS(nng_tls_config_auth_mode(c1, NNG_TLS_AUTH_MODE_REQUIRED));
+	// a valid cert, but not the one that signed the config!
+	NUTS_PASS(nng_tls_config_ca_chain(c1, nuts_ecdsa_server_crt, NULL));
+	NUTS_PASS(nng_listener_create(&l, s1, "tls+tcp://127.0.0.1:0"));
+	NUTS_PASS(nng_listener_set_tls(l, c1));
+	NUTS_PASS(nng_listener_start(l, 0));
+	NUTS_PASS(nng_listener_get_url(l, &url));
+	NUTS_MATCH(nng_url_scheme(url), "tls+tcp");
+	NUTS_PASS(nng_listener_get_addr(l, NNG_OPT_LOCADDR, &sa));
+	NUTS_TRUE(sa.s_in.sa_family == NNG_AF_INET);
+	NUTS_TRUE(sa.s_in.sa_port != 0);
+	NUTS_TRUE(sa.s_in.sa_addr = nuts_be32(0x7f000001));
+	NUTS_PASS(nng_dialer_create_url(&d, s2, url));
+	NUTS_PASS(nng_dialer_set_tls(d, c2));
+	NUTS_FAIL(nng_dialer_start(d, 0), NNG_ECRYPTO);
+	nng_msleep(50);
+	NUTS_CLOSE(s2);
+	NUTS_CLOSE(s1);
+	nng_tls_config_free(c1);
+	nng_tls_config_free(c2);
+}
+void
 test_tls_malformed_address(void)
 {
 	nng_socket s1;
@@ -285,5 +320,6 @@ NUTS_TESTS = {
 	{ "tls keep alive option", test_tls_keep_alive_option },
 	{ "tls recv max", test_tls_recv_max },
 	{ "tls pre-shared key", test_tls_psk },
+	{ "tsl bad cert mutual", test_tls_bad_cert_mutual },
 	{ NULL, NULL },
 };
diff --git a/src/supplemental/tls/mbedtls/tls.c b/src/supplemental/tls/mbedtls/tls.c
index 8b62cd7f..9adae588 100644
--- a/src/supplemental/tls/mbedtls/tls.c
+++ b/src/supplemental/tls/mbedtls/tls.c
@@ -152,7 +152,7 @@ tls_log_warn(const char *msgid, const char *context, int errnum)
 {
 	char errbuf[256];
 	mbedtls_strerror(errnum, errbuf, sizeof(errbuf));
-	nng_log_warn(msgid, "%s: %s", context, errbuf);
+	nng_log_warn(msgid, "%s: %d - %s", context, errnum, errbuf);
 }
 
 // tls_mk_err converts an mbed error to an NNG error.