Mercurial > pidgin
comparison libpurple/plugins/ssl/ssl-gnutls.c @ 27655:0ac5a002dd6d
Add a debug log message when MD5 is used in a verification chain. Refs #4458.
Adding a warning for end-users isn't going to be helpful in my opinion,
but if someone can come up with a short, clear, and accurate message to
convey this information to a user (who then needs to convey it to a
server operator), I'm all ears.
| author | Paul Aurich <paul@darkrain42.org> |
|---|---|
| date | Tue, 21 Jul 2009 05:33:43 +0000 |
| parents | e997e1e9b4f1 |
| children | 13a229a062c6 |
comparison
equal
deleted
inserted
replaced
| 27654:7e473a437c7f | 27655:0ac5a002dd6d |
|---|---|
| 666 { | 666 { |
| 667 gnutls_x509_crt crt_dat; | 667 gnutls_x509_crt crt_dat; |
| 668 gnutls_x509_crt issuer_dat; | 668 gnutls_x509_crt issuer_dat; |
| 669 unsigned int verify; /* used to store result from GnuTLS verifier */ | 669 unsigned int verify; /* used to store result from GnuTLS verifier */ |
| 670 int ret; | 670 int ret; |
| 671 gchar *crt_id = NULL; | |
| 672 gchar *issuer_id = NULL; | |
| 671 | 673 |
| 672 g_return_val_if_fail(crt, FALSE); | 674 g_return_val_if_fail(crt, FALSE); |
| 673 g_return_val_if_fail(issuer, FALSE); | 675 g_return_val_if_fail(issuer, FALSE); |
| 674 | 676 |
| 675 /* Verify that both certs are the correct scheme */ | 677 /* Verify that both certs are the correct scheme */ |
| 726 purple_debug_error("gnutls/x509", | 728 purple_debug_error("gnutls/x509", |
| 727 "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret); | 729 "Attempted certificate verification caused a GnuTLS error code %d. I will just say the signature is bad, but you should look into this.\n", ret); |
| 728 return FALSE; | 730 return FALSE; |
| 729 } | 731 } |
| 730 | 732 |
| 733 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) { | |
| 734 /* | |
| 735 * A certificate in the chain is signed with an insecure | |
| 736 * algorithm. Put a warning into the log to make this error | |
| 737 * perfectly clear as soon as someone looks at the debug log is | |
| 738 * generated. | |
| 739 */ | |
| 740 crt_id = purple_certificate_get_unique_id(crt); | |
| 741 issuer_id = purple_certificate_get_issuer_unique_id(crt); | |
| 742 purple_debug_warning("gnutls/x509", | |
| 743 "Insecure hash algorithm used by %s to sign %s\n", | |
| 744 issuer_id, crt_id); | |
| 745 } | |
| 746 | |
| 731 if (verify & GNUTLS_CERT_INVALID) { | 747 if (verify & GNUTLS_CERT_INVALID) { |
| 732 /* Signature didn't check out, but at least | 748 /* Signature didn't check out, but at least |
| 733 there were no errors*/ | 749 there were no errors*/ |
| 734 gchar *crt_id = purple_certificate_get_unique_id(crt); | 750 if (!crt_id) |
| 735 gchar *issuer_id = purple_certificate_get_issuer_unique_id(crt); | 751 crt_id = purple_certificate_get_unique_id(crt); |
| 736 purple_debug_info("gnutls/x509", | 752 if (!issuer_id) |
| 737 "Bad signature for %s on %s\n", | 753 issuer_id = purple_certificate_get_issuer_unique_id(crt); |
| 754 purple_debug_error("gnutls/x509", | |
| 755 "Bad signature from %s on %s\n", | |
| 738 issuer_id, crt_id); | 756 issuer_id, crt_id); |
| 739 g_free(crt_id); | 757 g_free(crt_id); |
| 740 g_free(issuer_id); | 758 g_free(issuer_id); |
| 741 | 759 |
| 742 return FALSE; | 760 return FALSE; |