Fossil SCM
Making the http ssl code output the verification error, in case of verification failure. I also make the user question state the host the certificate is related to.
Commit
79c31f9b73aeb19a755e6e678b5175f7c767d0e6
Parent
55fb082ae5a265c…
1 file changed
+15
-10
+15
-10
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -194,10 +194,12 @@ | ||
| 194 | 194 | int ssl_open(void){ |
| 195 | 195 | X509 *cert; |
| 196 | 196 | int hasSavedCertificate = 0; |
| 197 | 197 | int trusted = 0; |
| 198 | 198 | char *connStr ; |
| 199 | + unsigned long e; | |
| 200 | + | |
| 199 | 201 | ssl_global_init(); |
| 200 | 202 | |
| 201 | 203 | /* Get certificate for current server from global config and |
| 202 | 204 | * (if we have it in config) add it to certificate store. |
| 203 | 205 | */ |
| @@ -241,11 +243,11 @@ | ||
| 241 | 243 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 242 | 244 | ssl_close(); |
| 243 | 245 | return 1; |
| 244 | 246 | } |
| 245 | 247 | |
| 246 | - if( trusted<=0 && SSL_get_verify_result(ssl) != X509_V_OK ){ | |
| 248 | + if( trusted<=0 && (e = SSL_get_verify_result(ssl)) != X509_V_OK ){ | |
| 247 | 249 | char *desc, *prompt; |
| 248 | 250 | char *warning = ""; |
| 249 | 251 | Blob ans; |
| 250 | 252 | BIO *mem; |
| 251 | 253 | unsigned char md[32]; |
| @@ -267,19 +269,22 @@ | ||
| 267 | 269 | |
| 268 | 270 | if( hasSavedCertificate ){ |
| 269 | 271 | warning = "WARNING: Certificate doesn't match the " |
| 270 | 272 | "saved certificate for this host!"; |
| 271 | 273 | } |
| 272 | - prompt = mprintf( | |
| 273 | - "\nUnknown SSL certificate:\n\n%s\n\n%s\n" | |
| 274 | - "Either:\n" | |
| 275 | - " * verify the certificate is correct using the SHA1 fingerprint above\n" | |
| 276 | - " * use the global ssl-ca-location setting to specify your CA root\n" | |
| 277 | - " certificates list\n\n" | |
| 278 | - "If you are not expecting this message, answer no and " | |
| 279 | - "contact your server\nadministrator.\n\n" | |
| 280 | - "Accept certificate [a=always/y/N]? ", desc, warning); | |
| 274 | + prompt = mprintf("\nSSL verification failed: %s\n" | |
| 275 | + "Certificate received: \n\n%s\n\n%s\n" | |
| 276 | + "Either:\n" | |
| 277 | + " * verify the certificate is correct using the " | |
| 278 | + "SHA1 fingerprint above\n" | |
| 279 | + " * use the global ssl-ca-location setting to specify your CA root\n" | |
| 280 | + " certificates list\n\n" | |
| 281 | + "If you are not expecting this message, answer no and " | |
| 282 | + "contact your server\nadministrator.\n\n" | |
| 283 | + "Accept certificate for host %s [a=always/y/N]? ", | |
| 284 | + X509_verify_cert_error_string(e), desc, warning, | |
| 285 | + g.urlName); | |
| 281 | 286 | BIO_free(mem); |
| 282 | 287 | |
| 283 | 288 | prompt_user(prompt, &ans); |
| 284 | 289 | free(prompt); |
| 285 | 290 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 286 | 291 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -194,10 +194,12 @@ | |
| 194 | int ssl_open(void){ |
| 195 | X509 *cert; |
| 196 | int hasSavedCertificate = 0; |
| 197 | int trusted = 0; |
| 198 | char *connStr ; |
| 199 | ssl_global_init(); |
| 200 | |
| 201 | /* Get certificate for current server from global config and |
| 202 | * (if we have it in config) add it to certificate store. |
| 203 | */ |
| @@ -241,11 +243,11 @@ | |
| 241 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 242 | ssl_close(); |
| 243 | return 1; |
| 244 | } |
| 245 | |
| 246 | if( trusted<=0 && SSL_get_verify_result(ssl) != X509_V_OK ){ |
| 247 | char *desc, *prompt; |
| 248 | char *warning = ""; |
| 249 | Blob ans; |
| 250 | BIO *mem; |
| 251 | unsigned char md[32]; |
| @@ -267,19 +269,22 @@ | |
| 267 | |
| 268 | if( hasSavedCertificate ){ |
| 269 | warning = "WARNING: Certificate doesn't match the " |
| 270 | "saved certificate for this host!"; |
| 271 | } |
| 272 | prompt = mprintf( |
| 273 | "\nUnknown SSL certificate:\n\n%s\n\n%s\n" |
| 274 | "Either:\n" |
| 275 | " * verify the certificate is correct using the SHA1 fingerprint above\n" |
| 276 | " * use the global ssl-ca-location setting to specify your CA root\n" |
| 277 | " certificates list\n\n" |
| 278 | "If you are not expecting this message, answer no and " |
| 279 | "contact your server\nadministrator.\n\n" |
| 280 | "Accept certificate [a=always/y/N]? ", desc, warning); |
| 281 | BIO_free(mem); |
| 282 | |
| 283 | prompt_user(prompt, &ans); |
| 284 | free(prompt); |
| 285 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 286 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -194,10 +194,12 @@ | |
| 194 | int ssl_open(void){ |
| 195 | X509 *cert; |
| 196 | int hasSavedCertificate = 0; |
| 197 | int trusted = 0; |
| 198 | char *connStr ; |
| 199 | unsigned long e; |
| 200 | |
| 201 | ssl_global_init(); |
| 202 | |
| 203 | /* Get certificate for current server from global config and |
| 204 | * (if we have it in config) add it to certificate store. |
| 205 | */ |
| @@ -241,11 +243,11 @@ | |
| 243 | ssl_set_errmsg("No SSL certificate was presented by the peer"); |
| 244 | ssl_close(); |
| 245 | return 1; |
| 246 | } |
| 247 | |
| 248 | if( trusted<=0 && (e = SSL_get_verify_result(ssl)) != X509_V_OK ){ |
| 249 | char *desc, *prompt; |
| 250 | char *warning = ""; |
| 251 | Blob ans; |
| 252 | BIO *mem; |
| 253 | unsigned char md[32]; |
| @@ -267,19 +269,22 @@ | |
| 269 | |
| 270 | if( hasSavedCertificate ){ |
| 271 | warning = "WARNING: Certificate doesn't match the " |
| 272 | "saved certificate for this host!"; |
| 273 | } |
| 274 | prompt = mprintf("\nSSL verification failed: %s\n" |
| 275 | "Certificate received: \n\n%s\n\n%s\n" |
| 276 | "Either:\n" |
| 277 | " * verify the certificate is correct using the " |
| 278 | "SHA1 fingerprint above\n" |
| 279 | " * use the global ssl-ca-location setting to specify your CA root\n" |
| 280 | " certificates list\n\n" |
| 281 | "If you are not expecting this message, answer no and " |
| 282 | "contact your server\nadministrator.\n\n" |
| 283 | "Accept certificate for host %s [a=always/y/N]? ", |
| 284 | X509_verify_cert_error_string(e), desc, warning, |
| 285 | g.urlName); |
| 286 | BIO_free(mem); |
| 287 | |
| 288 | prompt_user(prompt, &ans); |
| 289 | free(prompt); |
| 290 | if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) { |
| 291 |