diff options
| author | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2009-12-08 02:23:33 +0000 |
|---|---|---|
| committer | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2009-12-08 02:23:33 +0000 |
| commit | 4b0433b7a9173709efcd5a07cb04ee246f9e2d4c (patch) | |
| tree | 4f918acfa27874c18d4018b87115d0c19354c3a9 | |
| parent | 3b8b01d72b34c4dc549e48976a45c6ae8e8a0835 (diff) | |
prohibit acception of expired SSL certificates.
git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@2366 ee746299-78ed-0310-b773-934348b2243d
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | libsylph/ssl.c | 12 | ||||
| -rw-r--r-- | src/sslmanager.c | 8 |
3 files changed, 21 insertions, 4 deletions
@@ -1,5 +1,10 @@ 2009-12-08 + * libsylph/ssl.c + src/sslmanager.c: prohibit acception of expired certificates. + +2009-12-08 + * src/compose.c: compose_close_cb(): modified button order on win32. 2009-12-04 diff --git a/libsylph/ssl.c b/libsylph/ssl.c index 2fd1c75e..c42214e1 100644 --- a/libsylph/ssl.c +++ b/libsylph/ssl.c @@ -273,6 +273,7 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) if ((server_cert = SSL_get_peer_certificate(sockinfo->ssl)) != NULL) { glong verify_result; + gboolean expired = FALSE; if (get_debug_mode()) { gchar *str; @@ -311,6 +312,9 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) debug_print("SSL verify OK\n"); X509_free(server_cert); return TRUE; + } else if (verify_result == X509_V_ERR_CERT_HAS_EXPIRED) { + log_message("SSL certificate of %s has expired\n", sockinfo->hostname); + expired = TRUE; } else if (g_slist_find_custom(trust_list, server_cert, x509_cmp_func) || g_slist_find_custom(tmp_trust_list, server_cert, @@ -346,12 +350,12 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) return FALSE; } else if (res > 0) { debug_print("Temporarily accept SSL certificate of %s\n", sockinfo->hostname); - tmp_trust_list = g_slist_prepend - (tmp_trust_list, X509_dup(server_cert)); + if (!expired) + tmp_trust_list = g_slist_prepend(tmp_trust_list, X509_dup(server_cert)); } else { debug_print("Permanently accept SSL certificate of %s\n", sockinfo->hostname); - trust_list = g_slist_prepend - (trust_list, X509_dup(server_cert)); + if (!expired) + trust_list = g_slist_prepend(trust_list, X509_dup(server_cert)); } } diff --git a/src/sslmanager.c b/src/sslmanager.c index b303960d..66beafbe 100644 --- a/src/sslmanager.c +++ b/src/sslmanager.c @@ -59,6 +59,7 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname, gchar not_before[64] = "", not_after[64] = ""; gint i; gint result; + gboolean disable_always = FALSE; if (verify_result == X509_V_OK) return 0; @@ -174,6 +175,10 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname, } #endif + /* prohibit acception of expired certificates */ + if (verify_result == X509_V_ERR_CERT_HAS_EXPIRED) + disable_always = TRUE; + if (prefs_common.comply_gnome_hig) gtk_dialog_add_buttons(GTK_DIALOG(dialog), _("_Reject"), GTK_RESPONSE_REJECT, @@ -187,6 +192,9 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname, _("_Reject"), GTK_RESPONSE_REJECT, NULL); gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + if (disable_always) + gtk_dialog_set_response_sensitive(GTK_DIALOG(dialog), + GTK_RESPONSE_ACCEPT, FALSE); gtk_widget_show_all(dialog); |