Fossil

Check-in [3c19422b]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Merge in some ui enhancements from the ssl_platform_fixes branch.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | ui-improvements
Files: files | file ages | folders
SHA1:3c19422b6e4c643e67dcabb8c1fcfedb5da0f2fb
User & Date: bcsmith 2010-10-22 01:06:38
Context
2010-10-22
01:06
Merge in some ui enhancements from the ssl_platform_fixes branch. Leaf check-in: 3c19422b user: bcsmith tags: ui-improvements
01:04
Add some explanatory text to the update command to make it easier for new users to learn fossil. check-in: 858940c6 user: bcsmith tags: ui-improvements
2010-10-03
19:24
More descriptive SSL error messages. Closed-Leaf check-in: 6b8b6d2e user: bcsmith tags: ssl_platform_fixes
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/http_ssl.c.

127
128
129
130
131
132
133
134

135
136
137
138
139
140
141
...
175
176
177
178
179
180
181
182
183
184

185
186
187
188
189
190
191
...
192
193
194
195
196
197
198































































































































199
200
201
202
203
204
205
206
207
**    g.urlPort       TCP/IP port to use.  Ex: 80
**
** Return the number of errors.
*/
int ssl_open(void){
  X509 *cert;
  int hasSavedCertificate = 0;
char *connStr ;

  ssl_global_init();

  /* Get certificate for current server from global config and
   * (if we have it in config) add it to certificate store.
   */
  cert = ssl_get_certificate();
  if ( cert!=NULL ){
................................................................................

  if ( cert==NULL ){
    ssl_set_errmsg("No SSL certificate was presented by the peer");
    ssl_close();
    return 1;
  }

  if( SSL_get_verify_result(ssl) != X509_V_OK ){
    char *desc, *prompt;
    char *warning = "";

    Blob ans;
    BIO *mem;
    
    mem = BIO_new(BIO_s_mem());
    X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
    BIO_puts(mem, "\n\nIssued By:\n\n");
    X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
................................................................................
    BIO_write(mem, "", 1); // null-terminate mem buffer
    BIO_get_mem_data(mem, &desc);
    
    if( hasSavedCertificate ){
      warning = "WARNING: Certificate doesn't match the "
                "saved certificate for this host!";
    }































































































































    prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n"
                     "Accept certificate [a=always/y/N]? ", desc, warning);
    BIO_free(mem);

    prompt_user(prompt, &ans);
    free(prompt);
    if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) {
      X509_free(cert);
      ssl_set_errmsg("SSL certificate declined");







|
>







 







|


>







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
|







127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
...
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
...
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
**    g.urlPort       TCP/IP port to use.  Ex: 80
**
** Return the number of errors.
*/
int ssl_open(void){
  X509 *cert;
  int hasSavedCertificate = 0;
  char *connStr;
  int vresult = 0;
  ssl_global_init();

  /* Get certificate for current server from global config and
   * (if we have it in config) add it to certificate store.
   */
  cert = ssl_get_certificate();
  if ( cert!=NULL ){
................................................................................

  if ( cert==NULL ){
    ssl_set_errmsg("No SSL certificate was presented by the peer");
    ssl_close();
    return 1;
  }

  if( (vresult = SSL_get_verify_result(ssl)) != X509_V_OK ){
    char *desc, *prompt;
    char *warning = "";
    char *ssl_verify_error = "";
    Blob ans;
    BIO *mem;
    
    mem = BIO_new(BIO_s_mem());
    X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
    BIO_puts(mem, "\n\nIssued By:\n\n");
    X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
................................................................................
    BIO_write(mem, "", 1); // null-terminate mem buffer
    BIO_get_mem_data(mem, &desc);
    
    if( hasSavedCertificate ){
      warning = "WARNING: Certificate doesn't match the "
                "saved certificate for this host!";
    }
    switch(vresult) {
      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
        ssl_verify_error = "SSL: unable to get issuer certificate.";
        break;

      case X509_V_ERR_UNABLE_TO_GET_CRL:
        ssl_verify_error = "SSL: unable to get certificate CRL.";
        break;

      case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
        ssl_verify_error = "SSL: unable to decrypt certificate’s signature.";
        break;

      case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
        ssl_verify_error = "SSL: unable to decrypt CRL’s signature.";
        break;

      case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
        ssl_verify_error = "SSL: unable to decode issuer public key.";
        break;

      case X509_V_ERR_CERT_SIGNATURE_FAILURE:
        ssl_verify_error = "SSL: certificate signature failure.";
        break;

      case X509_V_ERR_CRL_SIGNATURE_FAILURE:
        ssl_verify_error = "SSL: CRL signature failure.";
        break;

      case X509_V_ERR_CERT_NOT_YET_VALID:
        ssl_verify_error = "SSL: certificate is not yet valid.";
        break;

      case X509_V_ERR_CERT_HAS_EXPIRED:
        ssl_verify_error = "SSL: certificate has expired.";
        break;

      case X509_V_ERR_CRL_NOT_YET_VALID:
        ssl_verify_error = "SSL: CRL is not yet valid.";
        break;

      case X509_V_ERR_CRL_HAS_EXPIRED:
        ssl_verify_error = "SSL: CRL has expired.";
        break;

      case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
        ssl_verify_error = "SSL: format error in certificate’s notBefore field.";
        break;

      case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
        ssl_verify_error = "SSL: format error in certificate’s notAfter field.";
        break;

      case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
        ssl_verify_error = "SSL: format error in CRL’s lastUpdate field.";
        break;

      case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
        ssl_verify_error = "SSL: format error in CRL’s nextUpdate field.";
        break;

      case X509_V_ERR_OUT_OF_MEM:
        ssl_verify_error = "SSL: out of memory.";
        break;

      case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
        ssl_verify_error = "SSL: self signed certificate.";
        break;

      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
        ssl_verify_error = "SSL: self signed certificate in certificate chain.";
        break;

      case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
        ssl_verify_error = "SSL: unable to get local issuer certificate.";
        break;

      case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
        ssl_verify_error = "SSL: unable to verify the first certificate.";
        break;

      case X509_V_ERR_CERT_CHAIN_TOO_LONG:
        ssl_verify_error = "SSL: certificate chain too long.";
        break;

      case X509_V_ERR_CERT_REVOKED:
        ssl_verify_error = "SSL: certificate revoked.";
        break;

      case X509_V_ERR_INVALID_CA:
        ssl_verify_error = "SSL: invalid CA certificate.";
        break;

      case X509_V_ERR_PATH_LENGTH_EXCEEDED:
        ssl_verify_error = "SSL: path length constraint exceeded.";
        break;

      case X509_V_ERR_INVALID_PURPOSE:
        ssl_verify_error = "SSL: unsupported certificate purpose.";
        break;

      case X509_V_ERR_CERT_UNTRUSTED:
        ssl_verify_error = "SSL: certificate not trusted.";
        break;

      case X509_V_ERR_CERT_REJECTED:
        ssl_verify_error = "SSL: certificate rejected.";
        break;

      case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
        ssl_verify_error = "SSL: subject issuer mismatch.";
        break;

      case X509_V_ERR_AKID_SKID_MISMATCH:
        ssl_verify_error = "SSL: authority and subject key identifier mismatch.";
        break;

      case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
        ssl_verify_error = "SSL: authority and issuer serial number mismatch.";
        break;

      case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
        ssl_verify_error = "SSL: key usage does not include certificate signing.";
        break;
      default:
        ssl_verify_error = "SSL: Unknown error.";
    };
    prompt = mprintf("\nUnknown SSL certificate:\n\n%s\n\n%s\n%s Code: %d\n"
                     "Accept certificate [a=always/y/N]? ", desc, warning, ssl_verify_error, vresult);
    BIO_free(mem);

    prompt_user(prompt, &ans);
    free(prompt);
    if( blob_str(&ans)[0]!='y' && blob_str(&ans)[0]!='a' ) {
      X509_free(cert);
      ssl_set_errmsg("SSL certificate declined");