Mercurial > pidgin
changeset 27655:0ac5a002dd6d
Add a debug log message when MD5 is used in a verification chain. Refs #4458.
Adding a warning for end-users isn't going to be helpful in my opinion,
but if someone can come up with a short, clear, and accurate message to
convey this information to a user (who then needs to convey it to a
server operator), I'm all ears.
| author | Paul Aurich <paul@darkrain42.org> |
|---|---|
| date | Tue, 21 Jul 2009 05:33:43 +0000 |
| parents | 7e473a437c7f |
| children | 96c38fe2cb00 |
| files | libpurple/plugins/ssl/ssl-gnutls.c |
| diffstat | 1 files changed, 22 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/libpurple/plugins/ssl/ssl-gnutls.c Tue Jul 21 04:25:59 2009 +0000 +++ b/libpurple/plugins/ssl/ssl-gnutls.c Tue Jul 21 05:33:43 2009 +0000 @@ -668,6 +668,8 @@ gnutls_x509_crt issuer_dat; unsigned int verify; /* used to store result from GnuTLS verifier */ int ret; + gchar *crt_id = NULL; + gchar *issuer_id = NULL; g_return_val_if_fail(crt, FALSE); g_return_val_if_fail(issuer, FALSE); @@ -728,13 +730,29 @@ return FALSE; } + if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) { + /* + * A certificate in the chain is signed with an insecure + * algorithm. Put a warning into the log to make this error + * perfectly clear as soon as someone looks at the debug log is + * generated. + */ + crt_id = purple_certificate_get_unique_id(crt); + issuer_id = purple_certificate_get_issuer_unique_id(crt); + purple_debug_warning("gnutls/x509", + "Insecure hash algorithm used by %s to sign %s\n", + issuer_id, crt_id); + } + if (verify & GNUTLS_CERT_INVALID) { /* Signature didn't check out, but at least there were no errors*/ - gchar *crt_id = purple_certificate_get_unique_id(crt); - gchar *issuer_id = purple_certificate_get_issuer_unique_id(crt); - purple_debug_info("gnutls/x509", - "Bad signature for %s on %s\n", + if (!crt_id) + crt_id = purple_certificate_get_unique_id(crt); + if (!issuer_id) + issuer_id = purple_certificate_get_issuer_unique_id(crt); + purple_debug_error("gnutls/x509", + "Bad signature from %s on %s\n", issuer_id, crt_id); g_free(crt_id); g_free(issuer_id);