zeroc-ice 3.7.3 → 3.7.7

data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.3
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -38,7 +38,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 3
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.h

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.3
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -44,7 +44,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 3
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif
@@ -242,7 +242,7 @@ public:
                       ::std::function<void(bool)> sent = nullptr,
                       const ::Ice::Context& context = ::Ice::noExplicitContext)
     {
-        return _makeLamdaOutgoing<void>(response, ex, sent, this, &IceLocatorDiscovery::LookupReplyPrx::_iceI_foundLocator, prx, context);
+        return _makeLamdaOutgoing<void>(std::move(response), std::move(ex), std::move(sent), this, &IceLocatorDiscovery::LookupReplyPrx::_iceI_foundLocator, prx, context);
     }
 
     /// \cond INTERNAL
@@ -328,7 +328,7 @@ public:
                      ::std::function<void(bool)> sent = nullptr,
                      const ::Ice::Context& context = ::Ice::noExplicitContext)
     {
-        return _makeLamdaOutgoing<void>(response, ex, sent, this, &IceLocatorDiscovery::LookupPrx::_iceI_findLocator, instanceName, reply, context);
+        return _makeLamdaOutgoing<void>(std::move(response), std::move(ex), std::move(sent), this, &IceLocatorDiscovery::LookupPrx::_iceI_findLocator, instanceName, reply, context);
     }
 
     /// \cond INTERNAL
@@ -705,6 +705,12 @@ public:
 
     virtual ~LookupReply();
 
+#ifdef ICE_CPP11_COMPILER
+    LookupReply() = default;
+    LookupReply(const LookupReply&) = default;
+    LookupReply& operator=(const LookupReply&) = default;
+#endif
+
     /**
      * Determines whether this object supports an interface with the given Slice type ID.
      * @param id The fully-scoped Slice type ID.
@@ -788,6 +794,12 @@ public:
 
     virtual ~Lookup();
 
+#ifdef ICE_CPP11_COMPILER
+    Lookup() = default;
+    Lookup(const Lookup&) = default;
+    Lookup& operator=(const Lookup&) = default;
+#endif
+
     /**
      * Determines whether this object supports an interface with the given Slice type ID.
      * @param id The fully-scoped Slice type ID.

data/ext/ice/cpp/src/IceLocatorDiscovery/PluginI.cpp

@@ -706,7 +706,18 @@ void
 LocatorI::foundLocator(const Ice::LocatorPrxPtr& locator)
 {
     Lock sync(*this);
-    if(!locator || (!_instanceName.empty() && locator->ice_getIdentity().category != _instanceName))
+
+    if(!locator)
+    {
+        if(_traceLevel > 2)
+        {
+            Ice::Trace out(_lookup->ice_getCommunicator()->getLogger(), "Lookup");
+            out << "ignoring locator reply: (null locator)";
+        }
+        return;
+    }
+
+    if(!_instanceName.empty() && locator->ice_getIdentity().category != _instanceName)
     {
         if(_traceLevel > 2)
         {

data/ext/ice/cpp/src/IceSSL/CertificateI.cpp

@@ -6,7 +6,7 @@
 #include <IceUtil/Mutex.h>
 #include <IceUtil/MutexPtrLock.h>
 #include <IceUtil/StringUtil.h>
-#include <IceSSL/Plugin.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/Util.h>
 #include <IceSSL/RFC2253.h>
 #include <IceSSL/CertificateI.h>
@@ -277,3 +277,25 @@ CertificateI::toString() const
     os << "subject: " << string(getSubjectDN()) << "\n";
     return os.str();
 }
+
+unsigned int
+Certificate::getKeyUsage() const
+{
+    const CertificateExtendedInfo* impl = dynamic_cast<const CertificateExtendedInfo*>(this);
+    if(impl)
+    {
+        return impl->getKeyUsage();
+    }
+    return 0;
+}
+
+unsigned int
+Certificate::getExtendedKeyUsage() const
+{
+    const CertificateExtendedInfo* impl = dynamic_cast<const CertificateExtendedInfo*>(this);
+    if(impl)
+    {
+        return impl->getExtendedKeyUsage();
+    }
+    return 0;
+}

data/ext/ice/cpp/src/IceSSL/ConnectionInfo.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.3
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 3
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/ConnectionInfoF.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.3
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -35,7 +35,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 3
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/EndpointInfo.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.3
+// Ice version 3.7.7
 //
 // <auto-generated>
 //
@@ -37,7 +37,7 @@
 #   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 3
+#   if ICE_INT_VERSION % 100 < 7
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/OpenSSLCertificateI.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 
-#include <IceSSL/Plugin.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/OpenSSL.h>
 #include <IceSSL/CertificateI.h>
 #include <IceSSL/OpenSSLUtil.h>
@@ -39,6 +39,12 @@ extern "C" typedef void (*FreeFunc)(void*);
 
 #endif
 
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#   define X509_get_extension_flags(x) (x->ex_flags)
+#   define X509_get_key_usage(x)  (x->ex_kusage)
+#   define X509_get_extended_key_usage(x)  (x->ex_xkusage)
+#endif
+
 namespace
 {
 
@@ -134,7 +140,10 @@ convertGeneralNames(GENERAL_NAMES* gens)
             break;
         }
         }
-        alt.push_back(p);
+        if (!p.second.empty())
+        {
+            alt.push_back(p);
+        }
     }
     sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
     return alt;
@@ -209,26 +218,23 @@ ASMUtcTimeToTime(const ASN1_UTCTIME* s)
     }
 #  undef g2
 
-    //
-    // If timegm was on all systems this code could be
-    // return IceUtil::Time::seconds(timegm(&tm) - offset*60);
-    //
-    // Windows doesn't support the re-entrant _r versions.
-    //
-#if defined(_MSC_VER)
-#   pragma warning(disable:4996) // localtime is depercated
-#endif
     time_t tzone;
     {
         IceUtilInternal::MutexPtrLock<IceUtil::Mutex> sync(mut);
         time_t now = time(0);
-        tzone = mktime(localtime(&now)) - mktime(gmtime(&now));
-    }
+        struct tm localTime;
+        struct tm gmTime;
 #if defined(_MSC_VER)
-#   pragma warning(default:4996) // localtime is depercated
+        localtime_s(&localTime, &now);
+        gmtime_s(&gmTime, &now);
+#else
+        localtime_r(&now, &localTime);
+        gmtime_r(&now, &gmTime);
 #endif
+        tzone = mktime(&localTime) - mktime(&gmTime);
+    }
 
-    IceUtil::Time time = IceUtil::Time::seconds(mktime(&tm) - offset * 60 + tzone);
+    IceUtil::Time time = IceUtil::Time::seconds(mktime(&tm) - IceUtil::Int64(offset) * 60 + tzone);
 
 #ifdef ICE_CPP11_MAPPING
     return chrono::system_clock::time_point(chrono::microseconds(time.toMicroSeconds()));
@@ -257,6 +263,7 @@ private:
 
 class OpenSSLCertificateI : public IceSSL::OpenSSL::Certificate,
                             public CertificateI,
+                            public IceSSL::CertificateExtendedInfo,
                             public IceUtil::Mutex
 {
 public:
@@ -285,6 +292,8 @@ public:
     virtual vector<pair<int, string> > getSubjectAlternativeNames() const;
     virtual int getVersion() const;
     virtual x509_st* getCert() const;
+    virtual unsigned int getKeyUsage() const;
+    virtual unsigned int getExtendedKeyUsage() const;
 
 protected:
 
@@ -542,6 +551,94 @@ OpenSSLCertificateI::loadX509Extensions() const
     }
 }
 
+unsigned int
+OpenSSLCertificateI::getKeyUsage() const
+{
+    unsigned int keyUsage = 0;
+    int flags = X509_get_extension_flags(_cert);
+    if(flags & EXFLAG_KUSAGE)
+    {
+        unsigned int kusage = X509_get_key_usage(_cert);
+        if(kusage & KU_DIGITAL_SIGNATURE)
+        {
+            keyUsage |= KEY_USAGE_DIGITAL_SIGNATURE;
+        }
+        if(kusage & KU_NON_REPUDIATION)
+        {
+            keyUsage |= KEY_USAGE_NON_REPUDIATION;
+        }
+        if(kusage & KU_KEY_ENCIPHERMENT)
+        {
+            keyUsage |= KEY_USAGE_KEY_ENCIPHERMENT;
+        }
+        if(kusage & KU_DATA_ENCIPHERMENT)
+        {
+            keyUsage |= KEY_USAGE_DATA_ENCIPHERMENT;
+        }
+        if(kusage & KU_KEY_AGREEMENT)
+        {
+            keyUsage |= KEY_USAGE_KEY_AGREEMENT;
+        }
+        if(kusage & KU_KEY_CERT_SIGN)
+        {
+            keyUsage |= KEY_USAGE_KEY_CERT_SIGN;
+        }
+        if(kusage & KU_CRL_SIGN)
+        {
+            keyUsage |= KEY_USAGE_CRL_SIGN;
+        }
+        if(kusage & KU_ENCIPHER_ONLY)
+        {
+            keyUsage |= KEY_USAGE_ENCIPHER_ONLY;
+        }
+        if(kusage & KU_DECIPHER_ONLY)
+        {
+            keyUsage |= KEY_USAGE_DECIPHER_ONLY;
+        }
+    }
+    return keyUsage;
+}
+
+unsigned int
+OpenSSLCertificateI::getExtendedKeyUsage() const
+{
+    unsigned int extendedKeyUsage = 0;
+    int flags = X509_get_extension_flags(_cert);
+    if(flags & EXFLAG_XKUSAGE)
+    {
+        unsigned int xkusage = X509_get_extended_key_usage(_cert);
+        if(xkusage & XKU_ANYEKU)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_ANY_KEY_USAGE;
+        }
+        if(xkusage & XKU_SSL_SERVER)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_SERVER_AUTH;
+        }
+        if(xkusage & XKU_SSL_CLIENT)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_CLIENT_AUTH;
+        }
+        if(xkusage & XKU_CODE_SIGN)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_CODE_SIGNING;
+        }
+        if(xkusage & XKU_SMIME)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_EMAIL_PROTECTION;
+        }
+        if(xkusage & XKU_TIMESTAMP)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_TIME_STAMPING;
+        }
+        if(xkusage & XKU_OCSP_SIGN)
+        {
+            extendedKeyUsage |= EXTENDED_KEY_USAGE_OCSP_SIGNING;
+        }
+    }
+    return extendedKeyUsage;
+}
+
 IceSSL::OpenSSL::CertificatePtr
 IceSSL::OpenSSL::Certificate::create(x509_st* cert)
 {
@@ -559,12 +656,16 @@ IceSSL::OpenSSL::Certificate::load(const std::string& file)
     }
 
     x509_st* x = PEM_read_bio_X509(cert, ICE_NULLPTR, ICE_NULLPTR, ICE_NULLPTR);
+    BIO_free(cert);
     if(x == ICE_NULLPTR)
     {
-        BIO_free(cert);
         throw CertificateReadException(__FILE__, __LINE__, "error reading file:\n" + getSslErrors(false));
     }
-    BIO_free(cert);
+    // Calling it with -1 for the side effects, this ensure that the extensions info is loaded
+    if(X509_check_purpose(x, -1, -1) == -1)
+    {
+        throw CertificateReadException(__FILE__, __LINE__, "error loading certificate:\n" + getSslErrors(false));
+    }
     return ICE_MAKE_SHARED(OpenSSLCertificateI, x);
 }
 
@@ -573,11 +674,15 @@ IceSSL::OpenSSL::Certificate::decode(const std::string& encoding)
 {
     BIO *cert = BIO_new_mem_buf(static_cast<void*>(const_cast<char*>(&encoding[0])), static_cast<int>(encoding.size()));
     x509_st* x = PEM_read_bio_X509(cert, ICE_NULLPTR, ICE_NULLPTR, ICE_NULLPTR);
+    BIO_free(cert);
     if(x == ICE_NULLPTR)
     {
-        BIO_free(cert);
         throw CertificateEncodingException(__FILE__, __LINE__, getSslErrors(false));
     }
-    BIO_free(cert);
+    // Calling it with -1 for the side effects, this ensure that the extensions info is loaded
+    if(X509_check_purpose(x, -1, -1) == -1)
+    {
+        throw CertificateReadException(__FILE__, __LINE__, "error loading certificate:\n" + getSslErrors(false));
+    }
     return ICE_MAKE_SHARED(OpenSSLCertificateI, x);
 }

data/ext/ice/cpp/src/IceSSL/OpenSSLEngine.cpp

@@ -28,6 +28,9 @@
 
 #ifdef _MSC_VER
 #   pragma warning(disable:4127) // conditional expression is constant
+#elif defined(__GNUC__)
+#  // Ignore OpenSSL 3.0 deprecation warning
+#  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #endif
 
 using namespace std;
@@ -816,7 +819,7 @@ OpenSSL::SSLEngine::initialize()
                             if(!_dhParams->add(keyLength, file))
                             {
                                 throw PluginInitializationException(__FILE__, __LINE__,
-                                                                "IceSSL: unable to read DH parameter file " + file);
+                                                                    "IceSSL: unable to read DH parameter file " + file);
                             }
                         }
                     }
@@ -824,6 +827,62 @@ OpenSSL::SSLEngine::initialize()
                 }
             }
 
+            int revocationCheck = getRevocationCheck();
+            if(revocationCheck > 0)
+            {
+                vector<string> crlFiles =
+                    properties->getPropertyAsList(propPrefix + "CertificateRevocationListFiles");
+                if(crlFiles.empty())
+                {
+                    throw PluginInitializationException(
+                        __FILE__,
+                        __LINE__,
+                        "IceSSL: cannot enable revocation checks without setting certificate revocation list files");
+                }
+
+                X509_STORE* store = SSL_CTX_get_cert_store(_ctx);
+                if(!store)
+                {
+                    throw PluginInitializationException(
+                        __FILE__,
+                        __LINE__,
+                        "IceSSL: unable to obtain the certificate store");
+                }
+
+                X509_LOOKUP* lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+                if(!lookup)
+                {
+                    throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: add lookup failed");
+                }
+
+                for(vector<string>::const_iterator it = crlFiles.begin(); it != crlFiles.end(); it++)
+                {
+                    string file;
+                    if(!checkPath(*it, defaultDir, false, file))
+                    {
+                        throw PluginInitializationException(
+                            __FILE__,
+                            __LINE__,
+                            "IceSSL: CRL file not found `" + *it + "'");
+                    }
+
+                    if(X509_LOOKUP_load_file(lookup, file.c_str(), X509_FILETYPE_PEM) == 0)
+                    {
+                        throw PluginInitializationException(
+                            __FILE__,
+                            __LINE__,
+                            "IceSSL: CRL load failure `" + *it + "'");
+                    }
+                }
+
+                unsigned long flags = X509_V_FLAG_CRL_CHECK;
+                if(revocationCheck > 1)
+                {
+                    flags |= X509_V_FLAG_CRL_CHECK_ALL;
+                }
+                X509_STORE_set_flags(store, flags);
+            }
+
             SSL_CTX_set_mode(_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
         }
 

data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.cpp

@@ -10,8 +10,10 @@
 
 #include <IceSSL/ConnectionInfo.h>
 #include <IceSSL/Instance.h>
+#include <IceSSL/PluginI.h>
 #include <IceSSL/SSLEngine.h>
 #include <IceSSL/Util.h>
+
 #include <Ice/Communicator.h>
 #include <Ice/LoggerUtil.h>
 #include <Ice/Buffer.h>
@@ -72,6 +74,103 @@ IceSSL_opensslVerifyCallback(int ok, X509_STORE_CTX* ctx)
 
 }
 
+namespace
+{
+
+TrustError trustStatusToTrustError(long status)
+{
+    switch (status)
+    {
+    case X509_V_OK:
+        return IceSSL::ICE_ENUM(TrustError, NoError);
+
+    case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+        return IceSSL::ICE_ENUM(TrustError, ChainTooLong);
+
+    case X509_V_ERR_EXCLUDED_VIOLATION:
+        return IceSSL::ICE_ENUM(TrustError, HasExcludedNameConstraint);
+
+    case X509_V_ERR_PERMITTED_VIOLATION:
+        return IceSSL::ICE_ENUM(TrustError, HasNonPermittedNameConstraint);
+
+    case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+        return IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension);
+
+    case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:
+    case X509_V_ERR_SUBTREE_MINMAX:
+        return IceSSL::ICE_ENUM(TrustError, HasNonSupportedNameConstraint);
+
+    case X509_V_ERR_HOSTNAME_MISMATCH:
+    case X509_V_ERR_IP_ADDRESS_MISMATCH:
+        return IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
+
+    case X509_V_ERR_INVALID_CA:
+    case X509_V_ERR_INVALID_NON_CA:
+    case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+    case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+    case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+        return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
+
+    case X509_V_ERR_INVALID_EXTENSION:
+        return IceSSL::ICE_ENUM(TrustError, InvalidExtension);
+
+    case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:
+        return IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints);
+
+    case X509_V_ERR_INVALID_POLICY_EXTENSION:
+    case X509_V_ERR_NO_EXPLICIT_POLICY:
+        return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
+
+    case X509_V_ERR_INVALID_PURPOSE:
+        return IceSSL::ICE_ENUM(TrustError, InvalidPurpose);
+
+    case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+    case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+    case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+        return IceSSL::ICE_ENUM(TrustError, InvalidSignature);
+
+    case X509_V_ERR_CERT_NOT_YET_VALID:
+    case X509_V_ERR_CERT_HAS_EXPIRED:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+        return IceSSL::ICE_ENUM(TrustError, InvalidTime);
+
+    case X509_V_ERR_CERT_REJECTED:
+        return IceSSL::ICE_ENUM(TrustError, NotTrusted);
+
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+    case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+        return IceSSL::ICE_ENUM(TrustError, PartialChain);
+
+    case X509_V_ERR_CRL_HAS_EXPIRED:
+    case X509_V_ERR_CRL_NOT_YET_VALID:
+    case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+    case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+    case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+    case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
+    case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+    case X509_V_ERR_UNABLE_TO_GET_CRL:
+    case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
+    case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
+    case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
+        return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
+
+    case X509_V_ERR_CERT_REVOKED:
+        return IceSSL::ICE_ENUM(TrustError, Revoked);
+
+    case X509_V_ERR_CERT_UNTRUSTED:
+    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+    case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+        return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
+
+    default:
+        return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
+    }
+}
+
+}
+
 IceInternal::NativeInfoPtr
 OpenSSL::TransceiverI::getNativeInfo()
 {
@@ -310,6 +409,7 @@ OpenSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::
     }
 
     long result = SSL_get_verify_result(_ssl);
+    _trustError = trustStatusToTrustError(result);
     if(result != X509_V_OK)
     {
         if(_engine->getVerifyPeer() == 0)
@@ -346,10 +446,11 @@ OpenSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::
         // Peer hostname verification is new in OpenSSL 1.0.2 for older versions
         // We use IceSSL built-in hostname verification.
         //
-        _engine->verifyPeerCertName(address, info);
+        _engine->verifyPeerCertName(_host, ICE_DYNAMIC_CAST(ConnectionInfo, getInfo()));
     }
     catch(const SecurityException&)
     {
+        _trustError = IceSSL::ICE_ENUM(TrustError, HostNameMismatch);
         _verified = false;
         if(_engine->getVerifyPeer() > 0)
         {
@@ -823,13 +924,15 @@ OpenSSL::TransceiverI::toDetailedString() const
 Ice::ConnectionInfoPtr
 OpenSSL::TransceiverI::getInfo() const
 {
-    ConnectionInfoPtr info = ICE_MAKE_SHARED(ConnectionInfo);
+    ExtendedConnectionInfoPtr info = ICE_MAKE_SHARED(ExtendedConnectionInfo);
     info->underlying = _delegate->getInfo();
     info->incoming = _incoming;
     info->adapterName = _adapterName;
     info->cipher = _cipher;
     info->certs = _certs;
     info->verified = _verified;
+    info->errorCode = _trustError;
+    info->host = _incoming ? "" : _host;
     return info;
 }
 

data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.h

@@ -71,6 +71,7 @@ private:
     std::string _cipher;
     std::vector<IceSSL::CertificatePtr> _certs;
     bool _verified;
+    TrustError _trustError;
 
     SSL* _ssl;
     BIO* _memBio;

data/ext/ice/cpp/src/IceSSL/OpenSSLUtil.cpp

@@ -10,6 +10,8 @@
 //
 #if defined(__GNUC__)
 #  pragma GCC diagnostic ignored "-Wold-style-cast"
+#  // Ignore OpenSSL 3.0 deprecation warning
+#  pragma GCC diagnostic ignored "-Wdeprecated-declarations"
 #endif
 
 using namespace std;