Fossil SCM

Show notBefore and notAfter timestamps for unknown TLS certificates.

danield 2021-10-22 19:26 trunk

Commit 5623188de389363cc376148a06f8ded872eb7c0c2e99c6124d49f035d28ad77e

Parent 4531bcd49774708…

1 file changed +17 -4

M src/http_ssl.c

+17 -4

		--- src/http_ssl.c
		+++ src/http_ssl.c
		@@ -338,10 +338,17 @@
338	338	ssl_set_errmsg("No SSL certificate was presented by the peer");
339	339	ssl_close();
340	340	return 1;
341	341	}
342	342
	343	+ /* Debugging hint: On unix-like system, run something like:
	344	+ **
	345	+ ** SSL_CERT_DIR=/tmp ./fossil sync
	346	+ **
	347	+ ** to cause certificate validation to fail, and thus test the fallback
	348	+ ** logic.
	349	+ */
343	350	if( !sslNoCertVerify && SSL_get_verify_result(ssl)!=X509_V_OK ){
344	351	int x, desclen;
345	352	char desc, prompt;
346	353	Blob ans;
347	354	char cReply;
		@@ -371,15 +378,19 @@
371	378	/* Ignore the failure because an exception exists */
372	379	ssl_one_time_exception(pUrlData, zHash);
373	380	}else{
374	381	/* Tell the user about the failure and ask what to do */
375	382	mem = BIO_new(BIO_s_mem());
376		- BIO_puts(mem, " subject: ");
	383	+ BIO_puts(mem, " subject: ");
377	384	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0, XN_FLAG_ONELINE);
378		- BIO_puts(mem, "\n issuer: ");
	385	+ BIO_puts(mem, "\n issuer: ");
379	386	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
380		- BIO_printf(mem, "\n sha256: %s", zHash);
	387	+ BIO_puts(mem, "\n notBefore: ");
	388	+ ASN1_TIME_print(mem, X509_get_notBefore(cert));
	389	+ BIO_puts(mem, "\n notAfter: ");
	390	+ ASN1_TIME_print(mem, X509_get_notAfter(cert));
	391	+ BIO_printf(mem, "\n sha256: %s", zHash);
381	392	desclen = BIO_get_mem_data(mem, &desc);
382	393
383	394	prompt = mprintf("Unable to verify SSL cert from %s\n%.*s\n"
384	395	"accept this cert and continue (y/N/fingerprint)? ",
385	396	pUrlData->name, desclen, desc);
		@@ -386,11 +397,13 @@
386	397	BIO_free(mem);
387	398
388	399	prompt_user(prompt, &ans);
389	400	free(prompt);
390	401	cReply = blob_str(&ans)[0];
391		- if( cReply!='y' && cReply!='Y' && fossil_stricmp(blob_str(&ans),zHash)!=0 ){
	402	+ if( cReply!='y' && cReply!='Y'
	403	+ && fossil_stricmp(blob_str(&ans),zHash)!=0
	404	+ ){
392	405	X509_free(cert);
393	406	ssl_set_errmsg("SSL cert declined");
394	407	ssl_close();
395	408	blob_reset(&ans);
396	409	return 1;
397	410

	--- src/http_ssl.c
	+++ src/http_ssl.c
	@@ -338,10 +338,17 @@
338	ssl_set_errmsg("No SSL certificate was presented by the peer");
339	ssl_close();
340	return 1;
341	}
342







343	if( !sslNoCertVerify && SSL_get_verify_result(ssl)!=X509_V_OK ){
344	int x, desclen;
345	char desc, prompt;
346	Blob ans;
347	char cReply;
	@@ -371,15 +378,19 @@
371	/* Ignore the failure because an exception exists */
372	ssl_one_time_exception(pUrlData, zHash);
373	}else{
374	/* Tell the user about the failure and ask what to do */
375	mem = BIO_new(BIO_s_mem());
376	BIO_puts(mem, " subject: ");
377	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0, XN_FLAG_ONELINE);
378	BIO_puts(mem, "\n issuer: ");
379	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
380	BIO_printf(mem, "\n sha256: %s", zHash);




381	desclen = BIO_get_mem_data(mem, &desc);
382
383	prompt = mprintf("Unable to verify SSL cert from %s\n%.*s\n"
384	"accept this cert and continue (y/N/fingerprint)? ",
385	pUrlData->name, desclen, desc);
	@@ -386,11 +397,13 @@
386	BIO_free(mem);
387
388	prompt_user(prompt, &ans);
389	free(prompt);
390	cReply = blob_str(&ans)[0];
391	if( cReply!='y' && cReply!='Y' && fossil_stricmp(blob_str(&ans),zHash)!=0 ){


392	X509_free(cert);
393	ssl_set_errmsg("SSL cert declined");
394	ssl_close();
395	blob_reset(&ans);
396	return 1;
397

	--- src/http_ssl.c
	+++ src/http_ssl.c
	@@ -338,10 +338,17 @@
338	ssl_set_errmsg("No SSL certificate was presented by the peer");
339	ssl_close();
340	return 1;
341	}
342
343	/* Debugging hint: On unix-like system, run something like:
344	**
345	** SSL_CERT_DIR=/tmp ./fossil sync
346	**
347	** to cause certificate validation to fail, and thus test the fallback
348	** logic.
349	*/
350	if( !sslNoCertVerify && SSL_get_verify_result(ssl)!=X509_V_OK ){
351	int x, desclen;
352	char desc, prompt;
353	Blob ans;
354	char cReply;
	@@ -371,15 +378,19 @@
378	/* Ignore the failure because an exception exists */
379	ssl_one_time_exception(pUrlData, zHash);
380	}else{
381	/* Tell the user about the failure and ask what to do */
382	mem = BIO_new(BIO_s_mem());
383	BIO_puts(mem, " subject: ");
384	X509_NAME_print_ex(mem, X509_get_subject_name(cert), 0, XN_FLAG_ONELINE);
385	BIO_puts(mem, "\n issuer: ");
386	X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE);
387	BIO_puts(mem, "\n notBefore: ");
388	ASN1_TIME_print(mem, X509_get_notBefore(cert));
389	BIO_puts(mem, "\n notAfter: ");
390	ASN1_TIME_print(mem, X509_get_notAfter(cert));
391	BIO_printf(mem, "\n sha256: %s", zHash);
392	desclen = BIO_get_mem_data(mem, &desc);
393
394	prompt = mprintf("Unable to verify SSL cert from %s\n%.*s\n"
395	"accept this cert and continue (y/N/fingerprint)? ",
396	pUrlData->name, desclen, desc);
	@@ -386,11 +397,13 @@
397	BIO_free(mem);
398
399	prompt_user(prompt, &ans);
400	free(prompt);
401	cReply = blob_str(&ans)[0];
402	if( cReply!='y' && cReply!='Y'
403	&& fossil_stricmp(blob_str(&ans),zHash)!=0
404	){
405	X509_free(cert);
406	ssl_set_errmsg("SSL cert declined");
407	ssl_close();
408	blob_reset(&ans);
409	return 1;
410

Fossil SCM

Keyboard Shortcuts