# HG changeset patch # User Paul Aurich # Date 1248154423 0 # Node ID 0ac5a002dd6d5532f62a525cbbce7f3a523d5ddd # Parent 7e473a437c7f253510e354c140f8bdb488e4c568 Add a debug log message when MD5 is used in a verification chain. Refs #4458. Adding a warning for end-users isn't going to be helpful in my opinion, but if someone can come up with a short, clear, and accurate message to convey this information to a user (who then needs to convey it to a server operator), I'm all ears. diff -r 7e473a437c7f -r 0ac5a002dd6d libpurple/plugins/ssl/ssl-gnutls.c --- a/libpurple/plugins/ssl/ssl-gnutls.c Tue Jul 21 04:25:59 2009 +0000 +++ b/libpurple/plugins/ssl/ssl-gnutls.c Tue Jul 21 05:33:43 2009 +0000 @@ -668,6 +668,8 @@ gnutls_x509_crt issuer_dat; unsigned int verify; /* used to store result from GnuTLS verifier */ int ret; + gchar *crt_id = NULL; + gchar *issuer_id = NULL; g_return_val_if_fail(crt, FALSE); g_return_val_if_fail(issuer, FALSE); @@ -728,13 +730,29 @@ return FALSE; } + if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) { + /* + * A certificate in the chain is signed with an insecure + * algorithm. Put a warning into the log to make this error + * perfectly clear as soon as someone looks at the debug log is + * generated. + */ + crt_id = purple_certificate_get_unique_id(crt); + issuer_id = purple_certificate_get_issuer_unique_id(crt); + purple_debug_warning("gnutls/x509", + "Insecure hash algorithm used by %s to sign %s\n", + issuer_id, crt_id); + } + if (verify & GNUTLS_CERT_INVALID) { /* Signature didn't check out, but at least there were no errors*/ - gchar *crt_id = purple_certificate_get_unique_id(crt); - gchar *issuer_id = purple_certificate_get_issuer_unique_id(crt); - purple_debug_info("gnutls/x509", - "Bad signature for %s on %s\n", + if (!crt_id) + crt_id = purple_certificate_get_unique_id(crt); + if (!issuer_id) + issuer_id = purple_certificate_get_issuer_unique_id(crt); + purple_debug_error("gnutls/x509", + "Bad signature from %s on %s\n", issuer_id, crt_id); g_free(crt_id); g_free(issuer_id);