Fossil SCM
When displaying an unknown certificate, also display the certificate fingerprint so the user can verify they're seeing the certificate they expect. Just displaying the textual names in the certificate does not give enough information to be certain someone isn't doing a man in the middle attack.
Commit
fc93bfb0f720e5d1a2963a60b4c263f7f7b01e39
Parent
2b4a6a66e1d6ae6…
1 file changed
+9
+9
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -182,15 +182,24 @@ | ||
| 182 | 182 | if( SSL_get_verify_result(ssl) != X509_V_OK ){ |
| 183 | 183 | char *desc, *prompt; |
| 184 | 184 | char *warning = ""; |
| 185 | 185 | Blob ans; |
| 186 | 186 | BIO *mem; |
| 187 | + unsigned char md[32]; | |
| 188 | + unsigned int mdLength = 31; | |
| 187 | 189 | |
| 188 | 190 | mem = BIO_new(BIO_s_mem()); |
| 189 | 191 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| 190 | 192 | BIO_puts(mem, "\n\nIssued By:\n\n"); |
| 191 | 193 | X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE); |
| 194 | + BIO_puts(mem, "\n\nSHA1 Fingerprint:\n\n "); | |
| 195 | + if(X509_digest(cert, EVP_sha1(), md, &mdLength)){ | |
| 196 | + int j; | |
| 197 | + for( j = 0; j < mdLength; ++j ) { | |
| 198 | + BIO_printf(mem, " %02x", md[j]); | |
| 199 | + } | |
| 200 | + } | |
| 192 | 201 | BIO_write(mem, "", 1); // null-terminate mem buffer |
| 193 | 202 | BIO_get_mem_data(mem, &desc); |
| 194 | 203 | |
| 195 | 204 | if( hasSavedCertificate ){ |
| 196 | 205 | warning = "WARNING: Certificate doesn't match the " |
| 197 | 206 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -182,15 +182,24 @@ | |
| 182 | if( SSL_get_verify_result(ssl) != X509_V_OK ){ |
| 183 | char *desc, *prompt; |
| 184 | char *warning = ""; |
| 185 | Blob ans; |
| 186 | BIO *mem; |
| 187 | |
| 188 | mem = BIO_new(BIO_s_mem()); |
| 189 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| 190 | BIO_puts(mem, "\n\nIssued By:\n\n"); |
| 191 | X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE); |
| 192 | BIO_write(mem, "", 1); // null-terminate mem buffer |
| 193 | BIO_get_mem_data(mem, &desc); |
| 194 | |
| 195 | if( hasSavedCertificate ){ |
| 196 | warning = "WARNING: Certificate doesn't match the " |
| 197 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -182,15 +182,24 @@ | |
| 182 | if( SSL_get_verify_result(ssl) != X509_V_OK ){ |
| 183 | char *desc, *prompt; |
| 184 | char *warning = ""; |
| 185 | Blob ans; |
| 186 | BIO *mem; |
| 187 | unsigned char md[32]; |
| 188 | unsigned int mdLength = 31; |
| 189 | |
| 190 | mem = BIO_new(BIO_s_mem()); |
| 191 | X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE); |
| 192 | BIO_puts(mem, "\n\nIssued By:\n\n"); |
| 193 | X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE); |
| 194 | BIO_puts(mem, "\n\nSHA1 Fingerprint:\n\n "); |
| 195 | if(X509_digest(cert, EVP_sha1(), md, &mdLength)){ |
| 196 | int j; |
| 197 | for( j = 0; j < mdLength; ++j ) { |
| 198 | BIO_printf(mem, " %02x", md[j]); |
| 199 | } |
| 200 | } |
| 201 | BIO_write(mem, "", 1); // null-terminate mem buffer |
| 202 | BIO_get_mem_data(mem, &desc); |
| 203 | |
| 204 | if( hasSavedCertificate ){ |
| 205 | warning = "WARNING: Certificate doesn't match the " |
| 206 |