Mercurial > pidgin
comparison libpurple/plugins/ssl/ssl-gnutls.c @ 27655:0ac5a002dd6d
Add a debug log message when MD5 is used in a verification chain. Refs #4458.
Adding a warning for end-users isn't going to be helpful in my opinion,
but if someone can come up with a short, clear, and accurate message to
convey this information to a user (who then needs to convey it to a
server operator), I'm all ears.
author | Paul Aurich <paul@darkrain42.org> |
---|---|
date | Tue, 21 Jul 2009 05:33:43 +0000 |
parents | e997e1e9b4f1 |
children | 13a229a062c6 |
comparison
equal
deleted
inserted
replaced
27654:7e473a437c7f | 27655:0ac5a002dd6d |
---|---|
666 { | 666 { |
667 gnutls_x509_crt crt_dat; | 667 gnutls_x509_crt crt_dat; |
668 gnutls_x509_crt issuer_dat; | 668 gnutls_x509_crt issuer_dat; |
669 unsigned int verify; /* used to store result from GnuTLS verifier */ | 669 unsigned int verify; /* used to store result from GnuTLS verifier */ |
670 int ret; | 670 int ret; |
671 gchar *crt_id = NULL; | |
672 gchar *issuer_id = NULL; | |
671 | 673 |
672 g_return_val_if_fail(crt, FALSE); | 674 g_return_val_if_fail(crt, FALSE); |
673 g_return_val_if_fail(issuer, FALSE); | 675 g_return_val_if_fail(issuer, FALSE); |
674 | 676 |
675 /* Verify that both certs are the correct scheme */ | 677 /* Verify that both certs are the correct scheme */ |
726 purple_debug_error("gnutls/x509", | 728 purple_debug_error("gnutls/x509", |
727 "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret); | 729 "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret); |
728 return FALSE; | 730 return FALSE; |
729 } | 731 } |
730 | 732 |
733 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) { | |
734 /* | |
735 * A certificate in the chain is signed with an insecure | |
736 * algorithm. Put a warning into the log to make this error | |
737 * perfectly clear as soon as someone looks at the debug log is | |
738 * generated. | |
739 */ | |
740 crt_id = purple_certificate_get_unique_id(crt); | |
741 issuer_id = purple_certificate_get_issuer_unique_id(crt); | |
742 purple_debug_warning("gnutls/x509", | |
743 "Insecure hash algorithm used by %s to sign %s\n", | |
744 issuer_id, crt_id); | |
745 } | |
746 | |
731 if (verify & GNUTLS_CERT_INVALID) { | 747 if (verify & GNUTLS_CERT_INVALID) { |
732 /* Signature didn't check out, but at least | 748 /* Signature didn't check out, but at least |
733 there were no errors*/ | 749 there were no errors*/ |
734 gchar *crt_id = purple_certificate_get_unique_id(crt); | 750 if (!crt_id) |
735 gchar *issuer_id = purple_certificate_get_issuer_unique_id(crt); | 751 crt_id = purple_certificate_get_unique_id(crt); |
736 purple_debug_info("gnutls/x509", | 752 if (!issuer_id) |
737 "Bad signature for %s on %s\n", | 753 issuer_id = purple_certificate_get_issuer_unique_id(crt); |
754 purple_debug_error("gnutls/x509", | |
755 "Bad signature from %s on %s\n", | |
738 issuer_id, crt_id); | 756 issuer_id, crt_id); |
739 g_free(crt_id); | 757 g_free(crt_id); |
740 g_free(issuer_id); | 758 g_free(issuer_id); |
741 | 759 |
742 return FALSE; | 760 return FALSE; |