Fossil SCM
Merge in some ui enhancements from the ssl_platform_fixes branch.
Commit
3c19422b6e4c643e67dcabb8c1fcfedb5da0f2fb
Parent
858940c68e5793a…
2 files changed
+133
-4
+133
-4
+133
-4
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -129,11 +129,12 @@ | ||
| 129 | 129 | ** Return the number of errors. |
| 130 | 130 | */ |
| 131 | 131 | int ssl_open(void){ |
| 132 | 132 | X509 *cert; |
| 133 | 133 | int hasSavedCertificate = 0; |
| 134 | -char *connStr ; | |
| 134 | + char *connStr; | |
| 135 | + int vresult = 0; | |
| 135 | 136 | ssl_global_init(); |
| 136 | 137 | |
| 137 | 138 | /* Get certificate for current server from global config and |
| 138 | 139 | * (if we have it in config) add it to certificate store. |
| 139 | 140 | */ |
| @@ -177,13 +178,14 @@ | ||
| 177 | 178 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 178 | 179 | ssl_close(); |
| 179 | 180 | return 1; |
| 180 | 181 | } |
| 181 | 182 | |
| 182 | - if( SSL_get_verify_result(ssl) != X509_V_OK ){ | |
| 183 | + if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){ | |
| 183 | 184 | char *desc, *prompt; |
| 184 | 185 | char *warning = ""; |
| 186 | + char *ssl_verify_error = ""; | |
| 185 | 187 | Blob ans; |
| 186 | 188 | BIO *mem; |
| 187 | 189 | |
| 188 | 190 | mem = BIO_new(BIO_s_mem()); |
| 189 | 191 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| @@ -194,12 +196,139 @@ | ||
| 194 | 196 | |
| 195 | 197 | if( hasSavedCertificate ){ |
| 196 | 198 | warning = "WARNING: Certificate doesn't match the " |
| 197 | 199 | "saved certificate for this host!"; |
| 198 | 200 | } |
| 199 | - prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n" | |
| 200 | - "Accept certificate [a=always/y/N]? ", desc, warning); | |
| 201 | + switch(vresult) { | |
| 202 | + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: | |
| 203 | + ssl_verify_error = "SSL: unable to get issuer certificate."; | |
| 204 | + break; | |
| 205 | + | |
| 206 | + case X509_V_ERR_UNABLE_TO_GET_CRL: | |
| 207 | + ssl_verify_error = "SSL: unable to get certificate CRL."; | |
| 208 | + break; | |
| 209 | + | |
| 210 | + case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: | |
| 211 | + ssl_verify_error = "SSL: unable to decrypt certificate’s signature."; | |
| 212 | + break; | |
| 213 | + | |
| 214 | + case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: | |
| 215 | + ssl_verify_error = "SSL: unable to decrypt CRL’s signature."; | |
| 216 | + break; | |
| 217 | + | |
| 218 | + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: | |
| 219 | + ssl_verify_error = "SSL: unable to decode issuer public key."; | |
| 220 | + break; | |
| 221 | + | |
| 222 | + case X509_V_ERR_CERT_SIGNATURE_FAILURE: | |
| 223 | + ssl_verify_error = "SSL: certificate signature failure."; | |
| 224 | + break; | |
| 225 | + | |
| 226 | + case X509_V_ERR_CRL_SIGNATURE_FAILURE: | |
| 227 | + ssl_verify_error = "SSL: CRL signature failure."; | |
| 228 | + break; | |
| 229 | + | |
| 230 | + case X509_V_ERR_CERT_NOT_YET_VALID: | |
| 231 | + ssl_verify_error = "SSL: certificate is not yet valid."; | |
| 232 | + break; | |
| 233 | + | |
| 234 | + case X509_V_ERR_CERT_HAS_EXPIRED: | |
| 235 | + ssl_verify_error = "SSL: certificate has expired."; | |
| 236 | + break; | |
| 237 | + | |
| 238 | + case X509_V_ERR_CRL_NOT_YET_VALID: | |
| 239 | + ssl_verify_error = "SSL: CRL is not yet valid."; | |
| 240 | + break; | |
| 241 | + | |
| 242 | + case X509_V_ERR_CRL_HAS_EXPIRED: | |
| 243 | + ssl_verify_error = "SSL: CRL has expired."; | |
| 244 | + break; | |
| 245 | + | |
| 246 | + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: | |
| 247 | + ssl_verify_error = "SSL: format error in certificate’s notBefore field."; | |
| 248 | + break; | |
| 249 | + | |
| 250 | + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: | |
| 251 | + ssl_verify_error = "SSL: format error in certificate’s notAfter field."; | |
| 252 | + break; | |
| 253 | + | |
| 254 | + case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: | |
| 255 | + ssl_verify_error = "SSL: format error in CRL’s lastUpdate field."; | |
| 256 | + break; | |
| 257 | + | |
| 258 | + case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: | |
| 259 | + ssl_verify_error = "SSL: format error in CRL’s nextUpdate field."; | |
| 260 | + break; | |
| 261 | + | |
| 262 | + case X509_V_ERR_OUT_OF_MEM: | |
| 263 | + ssl_verify_error = "SSL: out of memory."; | |
| 264 | + break; | |
| 265 | + | |
| 266 | + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: | |
| 267 | + ssl_verify_error = "SSL: self signed certificate."; | |
| 268 | + break; | |
| 269 | + | |
| 270 | + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: | |
| 271 | + ssl_verify_error = "SSL: self signed certificate in certificate chain."; | |
| 272 | + break; | |
| 273 | + | |
| 274 | + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: | |
| 275 | + ssl_verify_error = "SSL: unable to get local issuer certificate."; | |
| 276 | + break; | |
| 277 | + | |
| 278 | + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: | |
| 279 | + ssl_verify_error = "SSL: unable to verify the first certificate."; | |
| 280 | + break; | |
| 281 | + | |
| 282 | + case X509_V_ERR_CERT_CHAIN_TOO_LONG: | |
| 283 | + ssl_verify_error = "SSL: certificate chain too long."; | |
| 284 | + break; | |
| 285 | + | |
| 286 | + case X509_V_ERR_CERT_REVOKED: | |
| 287 | + ssl_verify_error = "SSL: certificate revoked."; | |
| 288 | + break; | |
| 289 | + | |
| 290 | + case X509_V_ERR_INVALID_CA: | |
| 291 | + ssl_verify_error = "SSL: invalid CA certificate."; | |
| 292 | + break; | |
| 293 | + | |
| 294 | + case X509_V_ERR_PATH_LENGTH_EXCEEDED: | |
| 295 | + ssl_verify_error = "SSL: path length constraint exceeded."; | |
| 296 | + break; | |
| 297 | + | |
| 298 | + case X509_V_ERR_INVALID_PURPOSE: | |
| 299 | + ssl_verify_error = "SSL: unsupported certificate purpose."; | |
| 300 | + break; | |
| 301 | + | |
| 302 | + case X509_V_ERR_CERT_UNTRUSTED: | |
| 303 | + ssl_verify_error = "SSL: certificate not trusted."; | |
| 304 | + break; | |
| 305 | + | |
| 306 | + case X509_V_ERR_CERT_REJECTED: | |
| 307 | + ssl_verify_error = "SSL: certificate rejected."; | |
| 308 | + break; | |
| 309 | + | |
| 310 | + case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: | |
| 311 | + ssl_verify_error = "SSL: subject issuer mismatch."; | |
| 312 | + break; | |
| 313 | + | |
| 314 | + case X509_V_ERR_AKID_SKID_MISMATCH: | |
| 315 | + ssl_verify_error = "SSL: authority and subject key identifier mismatch."; | |
| 316 | + break; | |
| 317 | + | |
| 318 | + case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: | |
| 319 | + ssl_verify_error = "SSL: authority and issuer serial number mismatch."; | |
| 320 | + break; | |
| 321 | + | |
| 322 | + case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: | |
| 323 | + ssl_verify_error = "SSL: key usage does not include certificate signing."; | |
| 324 | + break; | |
| 325 | + default: | |
| 326 | + ssl_verify_error = "SSL: Unknown error."; | |
| 327 | + }; | |
| 328 | + prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n" | |
| 329 | + "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult); | |
| 201 | 330 | BIO_free(mem); |
| 202 | 331 | |
| 203 | 332 | prompt_user(prompt, &ans); |
| 204 | 333 | free(prompt); |
| 205 | 334 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 206 | 335 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -129,11 +129,12 @@ | |
| 129 | ** Return the number of errors. |
| 130 | */ |
| 131 | int ssl_open(void){ |
| 132 | X509 *cert; |
| 133 | int hasSavedCertificate = 0; |
| 134 | char *connStr ; |
| 135 | ssl_global_init(); |
| 136 | |
| 137 | /* Get certificate for current server from global config and |
| 138 | * (if we have it in config) add it to certificate store. |
| 139 | */ |
| @@ -177,13 +178,14 @@ | |
| 177 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 178 | ssl_close(); |
| 179 | return 1; |
| 180 | } |
| 181 | |
| 182 | if( SSL_get_verify_result(ssl) != X509_V_OK ){ |
| 183 | char *desc, *prompt; |
| 184 | char *warning = ""; |
| 185 | Blob ans; |
| 186 | BIO *mem; |
| 187 | |
| 188 | mem = BIO_new(BIO_s_mem()); |
| 189 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| @@ -194,12 +196,139 @@ | |
| 194 | |
| 195 | if( hasSavedCertificate ){ |
| 196 | warning = "WARNING: Certificate doesn't match the " |
| 197 | "saved certificate for this host!"; |
| 198 | } |
| 199 | prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n" |
| 200 | "Accept certificate [a=always/y/N]? ", desc, warning); |
| 201 | BIO_free(mem); |
| 202 | |
| 203 | prompt_user(prompt, &ans); |
| 204 | free(prompt); |
| 205 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 206 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -129,11 +129,12 @@ | |
| 129 | ** Return the number of errors. |
| 130 | */ |
| 131 | int ssl_open(void){ |
| 132 | X509 *cert; |
| 133 | int hasSavedCertificate = 0; |
| 134 | char *connStr; |
| 135 | int vresult = 0; |
| 136 | ssl_global_init(); |
| 137 | |
| 138 | /* Get certificate for current server from global config and |
| 139 | * (if we have it in config) add it to certificate store. |
| 140 | */ |
| @@ -177,13 +178,14 @@ | |
| 178 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 179 | ssl_close(); |
| 180 | return 1; |
| 181 | } |
| 182 | |
| 183 | if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){ |
| 184 | char *desc, *prompt; |
| 185 | char *warning = ""; |
| 186 | char *ssl_verify_error = ""; |
| 187 | Blob ans; |
| 188 | BIO *mem; |
| 189 | |
| 190 | mem = BIO_new(BIO_s_mem()); |
| 191 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| @@ -194,12 +196,139 @@ | |
| 196 | |
| 197 | if( hasSavedCertificate ){ |
| 198 | warning = "WARNING: Certificate doesn't match the " |
| 199 | "saved certificate for this host!"; |
| 200 | } |
| 201 | switch(vresult) { |
| 202 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: |
| 203 | ssl_verify_error = "SSL: unable to get issuer certificate."; |
| 204 | break; |
| 205 | |
| 206 | case X509_V_ERR_UNABLE_TO_GET_CRL: |
| 207 | ssl_verify_error = "SSL: unable to get certificate CRL."; |
| 208 | break; |
| 209 | |
| 210 | case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: |
| 211 | ssl_verify_error = "SSL: unable to decrypt certificate’s signature."; |
| 212 | break; |
| 213 | |
| 214 | case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: |
| 215 | ssl_verify_error = "SSL: unable to decrypt CRL’s signature."; |
| 216 | break; |
| 217 | |
| 218 | case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: |
| 219 | ssl_verify_error = "SSL: unable to decode issuer public key."; |
| 220 | break; |
| 221 | |
| 222 | case X509_V_ERR_CERT_SIGNATURE_FAILURE: |
| 223 | ssl_verify_error = "SSL: certificate signature failure."; |
| 224 | break; |
| 225 | |
| 226 | case X509_V_ERR_CRL_SIGNATURE_FAILURE: |
| 227 | ssl_verify_error = "SSL: CRL signature failure."; |
| 228 | break; |
| 229 | |
| 230 | case X509_V_ERR_CERT_NOT_YET_VALID: |
| 231 | ssl_verify_error = "SSL: certificate is not yet valid."; |
| 232 | break; |
| 233 | |
| 234 | case X509_V_ERR_CERT_HAS_EXPIRED: |
| 235 | ssl_verify_error = "SSL: certificate has expired."; |
| 236 | break; |
| 237 | |
| 238 | case X509_V_ERR_CRL_NOT_YET_VALID: |
| 239 | ssl_verify_error = "SSL: CRL is not yet valid."; |
| 240 | break; |
| 241 | |
| 242 | case X509_V_ERR_CRL_HAS_EXPIRED: |
| 243 | ssl_verify_error = "SSL: CRL has expired."; |
| 244 | break; |
| 245 | |
| 246 | case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: |
| 247 | ssl_verify_error = "SSL: format error in certificate’s notBefore field."; |
| 248 | break; |
| 249 | |
| 250 | case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: |
| 251 | ssl_verify_error = "SSL: format error in certificate’s notAfter field."; |
| 252 | break; |
| 253 | |
| 254 | case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: |
| 255 | ssl_verify_error = "SSL: format error in CRL’s lastUpdate field."; |
| 256 | break; |
| 257 | |
| 258 | case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: |
| 259 | ssl_verify_error = "SSL: format error in CRL’s nextUpdate field."; |
| 260 | break; |
| 261 | |
| 262 | case X509_V_ERR_OUT_OF_MEM: |
| 263 | ssl_verify_error = "SSL: out of memory."; |
| 264 | break; |
| 265 | |
| 266 | case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: |
| 267 | ssl_verify_error = "SSL: self signed certificate."; |
| 268 | break; |
| 269 | |
| 270 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
| 271 | ssl_verify_error = "SSL: self signed certificate in certificate chain."; |
| 272 | break; |
| 273 | |
| 274 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: |
| 275 | ssl_verify_error = "SSL: unable to get local issuer certificate."; |
| 276 | break; |
| 277 | |
| 278 | case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: |
| 279 | ssl_verify_error = "SSL: unable to verify the first certificate."; |
| 280 | break; |
| 281 | |
| 282 | case X509_V_ERR_CERT_CHAIN_TOO_LONG: |
| 283 | ssl_verify_error = "SSL: certificate chain too long."; |
| 284 | break; |
| 285 | |
| 286 | case X509_V_ERR_CERT_REVOKED: |
| 287 | ssl_verify_error = "SSL: certificate revoked."; |
| 288 | break; |
| 289 | |
| 290 | case X509_V_ERR_INVALID_CA: |
| 291 | ssl_verify_error = "SSL: invalid CA certificate."; |
| 292 | break; |
| 293 | |
| 294 | case X509_V_ERR_PATH_LENGTH_EXCEEDED: |
| 295 | ssl_verify_error = "SSL: path length constraint exceeded."; |
| 296 | break; |
| 297 | |
| 298 | case X509_V_ERR_INVALID_PURPOSE: |
| 299 | ssl_verify_error = "SSL: unsupported certificate purpose."; |
| 300 | break; |
| 301 | |
| 302 | case X509_V_ERR_CERT_UNTRUSTED: |
| 303 | ssl_verify_error = "SSL: certificate not trusted."; |
| 304 | break; |
| 305 | |
| 306 | case X509_V_ERR_CERT_REJECTED: |
| 307 | ssl_verify_error = "SSL: certificate rejected."; |
| 308 | break; |
| 309 | |
| 310 | case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: |
| 311 | ssl_verify_error = "SSL: subject issuer mismatch."; |
| 312 | break; |
| 313 | |
| 314 | case X509_V_ERR_AKID_SKID_MISMATCH: |
| 315 | ssl_verify_error = "SSL: authority and subject key identifier mismatch."; |
| 316 | break; |
| 317 | |
| 318 | case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: |
| 319 | ssl_verify_error = "SSL: authority and issuer serial number mismatch."; |
| 320 | break; |
| 321 | |
| 322 | case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: |
| 323 | ssl_verify_error = "SSL: key usage does not include certificate signing."; |
| 324 | break; |
| 325 | default: |
| 326 | ssl_verify_error = "SSL: Unknown error."; |
| 327 | }; |
| 328 | prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n" |
| 329 | "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult); |
| 330 | BIO_free(mem); |
| 331 | |
| 332 | prompt_user(prompt, &ans); |
| 333 | free(prompt); |
| 334 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 335 |
+133
-4
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -129,11 +129,12 @@ | ||
| 129 | 129 | ** Return the number of errors. |
| 130 | 130 | */ |
| 131 | 131 | int ssl_open(void){ |
| 132 | 132 | X509 *cert; |
| 133 | 133 | int hasSavedCertificate = 0; |
| 134 | -char *connStr ; | |
| 134 | + char *connStr; | |
| 135 | + int vresult = 0; | |
| 135 | 136 | ssl_global_init(); |
| 136 | 137 | |
| 137 | 138 | /* Get certificate for current server from global config and |
| 138 | 139 | * (if we have it in config) add it to certificate store. |
| 139 | 140 | */ |
| @@ -177,13 +178,14 @@ | ||
| 177 | 178 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 178 | 179 | ssl_close(); |
| 179 | 180 | return 1; |
| 180 | 181 | } |
| 181 | 182 | |
| 182 | - if( SSL_get_verify_result(ssl) != X509_V_OK ){ | |
| 183 | + if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){ | |
| 183 | 184 | char *desc, *prompt; |
| 184 | 185 | char *warning = ""; |
| 186 | + char *ssl_verify_error = ""; | |
| 185 | 187 | Blob ans; |
| 186 | 188 | BIO *mem; |
| 187 | 189 | |
| 188 | 190 | mem = BIO_new(BIO_s_mem()); |
| 189 | 191 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| @@ -194,12 +196,139 @@ | ||
| 194 | 196 | |
| 195 | 197 | if( hasSavedCertificate ){ |
| 196 | 198 | warning = "WARNING: Certificate doesn't match the " |
| 197 | 199 | "saved certificate for this host!"; |
| 198 | 200 | } |
| 199 | - prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n" | |
| 200 | - "Accept certificate [a=always/y/N]? ", desc, warning); | |
| 201 | + switch(vresult) { | |
| 202 | + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: | |
| 203 | + ssl_verify_error = "SSL: unable to get issuer certificate."; | |
| 204 | + break; | |
| 205 | + | |
| 206 | + case X509_V_ERR_UNABLE_TO_GET_CRL: | |
| 207 | + ssl_verify_error = "SSL: unable to get certificate CRL."; | |
| 208 | + break; | |
| 209 | + | |
| 210 | + case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: | |
| 211 | + ssl_verify_error = "SSL: unable to decrypt certificate’s signature."; | |
| 212 | + break; | |
| 213 | + | |
| 214 | + case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: | |
| 215 | + ssl_verify_error = "SSL: unable to decrypt CRL’s signature."; | |
| 216 | + break; | |
| 217 | + | |
| 218 | + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: | |
| 219 | + ssl_verify_error = "SSL: unable to decode issuer public key."; | |
| 220 | + break; | |
| 221 | + | |
| 222 | + case X509_V_ERR_CERT_SIGNATURE_FAILURE: | |
| 223 | + ssl_verify_error = "SSL: certificate signature failure."; | |
| 224 | + break; | |
| 225 | + | |
| 226 | + case X509_V_ERR_CRL_SIGNATURE_FAILURE: | |
| 227 | + ssl_verify_error = "SSL: CRL signature failure."; | |
| 228 | + break; | |
| 229 | + | |
| 230 | + case X509_V_ERR_CERT_NOT_YET_VALID: | |
| 231 | + ssl_verify_error = "SSL: certificate is not yet valid."; | |
| 232 | + break; | |
| 233 | + | |
| 234 | + case X509_V_ERR_CERT_HAS_EXPIRED: | |
| 235 | + ssl_verify_error = "SSL: certificate has expired."; | |
| 236 | + break; | |
| 237 | + | |
| 238 | + case X509_V_ERR_CRL_NOT_YET_VALID: | |
| 239 | + ssl_verify_error = "SSL: CRL is not yet valid."; | |
| 240 | + break; | |
| 241 | + | |
| 242 | + case X509_V_ERR_CRL_HAS_EXPIRED: | |
| 243 | + ssl_verify_error = "SSL: CRL has expired."; | |
| 244 | + break; | |
| 245 | + | |
| 246 | + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: | |
| 247 | + ssl_verify_error = "SSL: format error in certificate’s notBefore field."; | |
| 248 | + break; | |
| 249 | + | |
| 250 | + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: | |
| 251 | + ssl_verify_error = "SSL: format error in certificate’s notAfter field."; | |
| 252 | + break; | |
| 253 | + | |
| 254 | + case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: | |
| 255 | + ssl_verify_error = "SSL: format error in CRL’s lastUpdate field."; | |
| 256 | + break; | |
| 257 | + | |
| 258 | + case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: | |
| 259 | + ssl_verify_error = "SSL: format error in CRL’s nextUpdate field."; | |
| 260 | + break; | |
| 261 | + | |
| 262 | + case X509_V_ERR_OUT_OF_MEM: | |
| 263 | + ssl_verify_error = "SSL: out of memory."; | |
| 264 | + break; | |
| 265 | + | |
| 266 | + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: | |
| 267 | + ssl_verify_error = "SSL: self signed certificate."; | |
| 268 | + break; | |
| 269 | + | |
| 270 | + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: | |
| 271 | + ssl_verify_error = "SSL: self signed certificate in certificate chain."; | |
| 272 | + break; | |
| 273 | + | |
| 274 | + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: | |
| 275 | + ssl_verify_error = "SSL: unable to get local issuer certificate."; | |
| 276 | + break; | |
| 277 | + | |
| 278 | + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: | |
| 279 | + ssl_verify_error = "SSL: unable to verify the first certificate."; | |
| 280 | + break; | |
| 281 | + | |
| 282 | + case X509_V_ERR_CERT_CHAIN_TOO_LONG: | |
| 283 | + ssl_verify_error = "SSL: certificate chain too long."; | |
| 284 | + break; | |
| 285 | + | |
| 286 | + case X509_V_ERR_CERT_REVOKED: | |
| 287 | + ssl_verify_error = "SSL: certificate revoked."; | |
| 288 | + break; | |
| 289 | + | |
| 290 | + case X509_V_ERR_INVALID_CA: | |
| 291 | + ssl_verify_error = "SSL: invalid CA certificate."; | |
| 292 | + break; | |
| 293 | + | |
| 294 | + case X509_V_ERR_PATH_LENGTH_EXCEEDED: | |
| 295 | + ssl_verify_error = "SSL: path length constraint exceeded."; | |
| 296 | + break; | |
| 297 | + | |
| 298 | + case X509_V_ERR_INVALID_PURPOSE: | |
| 299 | + ssl_verify_error = "SSL: unsupported certificate purpose."; | |
| 300 | + break; | |
| 301 | + | |
| 302 | + case X509_V_ERR_CERT_UNTRUSTED: | |
| 303 | + ssl_verify_error = "SSL: certificate not trusted."; | |
| 304 | + break; | |
| 305 | + | |
| 306 | + case X509_V_ERR_CERT_REJECTED: | |
| 307 | + ssl_verify_error = "SSL: certificate rejected."; | |
| 308 | + break; | |
| 309 | + | |
| 310 | + case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: | |
| 311 | + ssl_verify_error = "SSL: subject issuer mismatch."; | |
| 312 | + break; | |
| 313 | + | |
| 314 | + case X509_V_ERR_AKID_SKID_MISMATCH: | |
| 315 | + ssl_verify_error = "SSL: authority and subject key identifier mismatch."; | |
| 316 | + break; | |
| 317 | + | |
| 318 | + case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: | |
| 319 | + ssl_verify_error = "SSL: authority and issuer serial number mismatch."; | |
| 320 | + break; | |
| 321 | + | |
| 322 | + case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: | |
| 323 | + ssl_verify_error = "SSL: key usage does not include certificate signing."; | |
| 324 | + break; | |
| 325 | + default: | |
| 326 | + ssl_verify_error = "SSL: Unknown error."; | |
| 327 | + }; | |
| 328 | + prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n" | |
| 329 | + "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult); | |
| 201 | 330 | BIO_free(mem); |
| 202 | 331 | |
| 203 | 332 | prompt_user(prompt, &ans); |
| 204 | 333 | free(prompt); |
| 205 | 334 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 206 | 335 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -129,11 +129,12 @@ | |
| 129 | ** Return the number of errors. |
| 130 | */ |
| 131 | int ssl_open(void){ |
| 132 | X509 *cert; |
| 133 | int hasSavedCertificate = 0; |
| 134 | char *connStr ; |
| 135 | ssl_global_init(); |
| 136 | |
| 137 | /* Get certificate for current server from global config and |
| 138 | * (if we have it in config) add it to certificate store. |
| 139 | */ |
| @@ -177,13 +178,14 @@ | |
| 177 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 178 | ssl_close(); |
| 179 | return 1; |
| 180 | } |
| 181 | |
| 182 | if( SSL_get_verify_result(ssl) != X509_V_OK ){ |
| 183 | char *desc, *prompt; |
| 184 | char *warning = ""; |
| 185 | Blob ans; |
| 186 | BIO *mem; |
| 187 | |
| 188 | mem = BIO_new(BIO_s_mem()); |
| 189 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| @@ -194,12 +196,139 @@ | |
| 194 | |
| 195 | if( hasSavedCertificate ){ |
| 196 | warning = "WARNING: Certificate doesn't match the " |
| 197 | "saved certificate for this host!"; |
| 198 | } |
| 199 | prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n" |
| 200 | "Accept certificate [a=always/y/N]? ", desc, warning); |
| 201 | BIO_free(mem); |
| 202 | |
| 203 | prompt_user(prompt, &ans); |
| 204 | free(prompt); |
| 205 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 206 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -129,11 +129,12 @@ | |
| 129 | ** Return the number of errors. |
| 130 | */ |
| 131 | int ssl_open(void){ |
| 132 | X509 *cert; |
| 133 | int hasSavedCertificate = 0; |
| 134 | char *connStr; |
| 135 | int vresult = 0; |
| 136 | ssl_global_init(); |
| 137 | |
| 138 | /* Get certificate for current server from global config and |
| 139 | * (if we have it in config) add it to certificate store. |
| 140 | */ |
| @@ -177,13 +178,14 @@ | |
| 178 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 179 | ssl_close(); |
| 180 | return 1; |
| 181 | } |
| 182 | |
| 183 | if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){ |
| 184 | char *desc, *prompt; |
| 185 | char *warning = ""; |
| 186 | char *ssl_verify_error = ""; |
| 187 | Blob ans; |
| 188 | BIO *mem; |
| 189 | |
| 190 | mem = BIO_new(BIO_s_mem()); |
| 191 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| @@ -194,12 +196,139 @@ | |
| 196 | |
| 197 | if( hasSavedCertificate ){ |
| 198 | warning = "WARNING: Certificate doesn't match the " |
| 199 | "saved certificate for this host!"; |
| 200 | } |
| 201 | switch(vresult) { |
| 202 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: |
| 203 | ssl_verify_error = "SSL: unable to get issuer certificate."; |
| 204 | break; |
| 205 | |
| 206 | case X509_V_ERR_UNABLE_TO_GET_CRL: |
| 207 | ssl_verify_error = "SSL: unable to get certificate CRL."; |
| 208 | break; |
| 209 | |
| 210 | case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: |
| 211 | ssl_verify_error = "SSL: unable to decrypt certificate’s signature."; |
| 212 | break; |
| 213 | |
| 214 | case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: |
| 215 | ssl_verify_error = "SSL: unable to decrypt CRL’s signature."; |
| 216 | break; |
| 217 | |
| 218 | case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: |
| 219 | ssl_verify_error = "SSL: unable to decode issuer public key."; |
| 220 | break; |
| 221 | |
| 222 | case X509_V_ERR_CERT_SIGNATURE_FAILURE: |
| 223 | ssl_verify_error = "SSL: certificate signature failure."; |
| 224 | break; |
| 225 | |
| 226 | case X509_V_ERR_CRL_SIGNATURE_FAILURE: |
| 227 | ssl_verify_error = "SSL: CRL signature failure."; |
| 228 | break; |
| 229 | |
| 230 | case X509_V_ERR_CERT_NOT_YET_VALID: |
| 231 | ssl_verify_error = "SSL: certificate is not yet valid."; |
| 232 | break; |
| 233 | |
| 234 | case X509_V_ERR_CERT_HAS_EXPIRED: |
| 235 | ssl_verify_error = "SSL: certificate has expired."; |
| 236 | break; |
| 237 | |
| 238 | case X509_V_ERR_CRL_NOT_YET_VALID: |
| 239 | ssl_verify_error = "SSL: CRL is not yet valid."; |
| 240 | break; |
| 241 | |
| 242 | case X509_V_ERR_CRL_HAS_EXPIRED: |
| 243 | ssl_verify_error = "SSL: CRL has expired."; |
| 244 | break; |
| 245 | |
| 246 | case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: |
| 247 | ssl_verify_error = "SSL: format error in certificate’s notBefore field."; |
| 248 | break; |
| 249 | |
| 250 | case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: |
| 251 | ssl_verify_error = "SSL: format error in certificate’s notAfter field."; |
| 252 | break; |
| 253 | |
| 254 | case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: |
| 255 | ssl_verify_error = "SSL: format error in CRL’s lastUpdate field."; |
| 256 | break; |
| 257 | |
| 258 | case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: |
| 259 | ssl_verify_error = "SSL: format error in CRL’s nextUpdate field."; |
| 260 | break; |
| 261 | |
| 262 | case X509_V_ERR_OUT_OF_MEM: |
| 263 | ssl_verify_error = "SSL: out of memory."; |
| 264 | break; |
| 265 | |
| 266 | case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: |
| 267 | ssl_verify_error = "SSL: self signed certificate."; |
| 268 | break; |
| 269 | |
| 270 | case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: |
| 271 | ssl_verify_error = "SSL: self signed certificate in certificate chain."; |
| 272 | break; |
| 273 | |
| 274 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: |
| 275 | ssl_verify_error = "SSL: unable to get local issuer certificate."; |
| 276 | break; |
| 277 | |
| 278 | case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: |
| 279 | ssl_verify_error = "SSL: unable to verify the first certificate."; |
| 280 | break; |
| 281 | |
| 282 | case X509_V_ERR_CERT_CHAIN_TOO_LONG: |
| 283 | ssl_verify_error = "SSL: certificate chain too long."; |
| 284 | break; |
| 285 | |
| 286 | case X509_V_ERR_CERT_REVOKED: |
| 287 | ssl_verify_error = "SSL: certificate revoked."; |
| 288 | break; |
| 289 | |
| 290 | case X509_V_ERR_INVALID_CA: |
| 291 | ssl_verify_error = "SSL: invalid CA certificate."; |
| 292 | break; |
| 293 | |
| 294 | case X509_V_ERR_PATH_LENGTH_EXCEEDED: |
| 295 | ssl_verify_error = "SSL: path length constraint exceeded."; |
| 296 | break; |
| 297 | |
| 298 | case X509_V_ERR_INVALID_PURPOSE: |
| 299 | ssl_verify_error = "SSL: unsupported certificate purpose."; |
| 300 | break; |
| 301 | |
| 302 | case X509_V_ERR_CERT_UNTRUSTED: |
| 303 | ssl_verify_error = "SSL: certificate not trusted."; |
| 304 | break; |
| 305 | |
| 306 | case X509_V_ERR_CERT_REJECTED: |
| 307 | ssl_verify_error = "SSL: certificate rejected."; |
| 308 | break; |
| 309 | |
| 310 | case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: |
| 311 | ssl_verify_error = "SSL: subject issuer mismatch."; |
| 312 | break; |
| 313 | |
| 314 | case X509_V_ERR_AKID_SKID_MISMATCH: |
| 315 | ssl_verify_error = "SSL: authority and subject key identifier mismatch."; |
| 316 | break; |
| 317 | |
| 318 | case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: |
| 319 | ssl_verify_error = "SSL: authority and issuer serial number mismatch."; |
| 320 | break; |
| 321 | |
| 322 | case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: |
| 323 | ssl_verify_error = "SSL: key usage does not include certificate signing."; |
| 324 | break; |
| 325 | default: |
| 326 | ssl_verify_error = "SSL: Unknown error."; |
| 327 | }; |
| 328 | prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n" |
| 329 | "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult); |
| 330 | BIO_free(mem); |
| 331 | |
| 332 | prompt_user(prompt, &ans); |
| 333 | free(prompt); |
| 334 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 335 |