diff options
author | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2009-11-19 08:42:35 +0000 |
---|---|---|
committer | hiro <hiro@ee746299-78ed-0310-b773-934348b2243d> | 2009-11-19 08:42:35 +0000 |
commit | 86051e4d314d3aa4689feefd8314ced7aeea6444 (patch) | |
tree | 23b3f6c7146b143da874980a302be9721c4c1d42 | |
parent | d216d4d51ce9e34129d4c6fbf5c9ff91ea6cf75e (diff) |
calculate and display SHA1/MD5 fingerprint if verification of SSL certificate failed.
git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@2350 ee746299-78ed-0310-b773-934348b2243d
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | libsylph/ssl.c | 16 | ||||
-rw-r--r-- | src/sslmanager.c | 26 |
3 files changed, 47 insertions, 1 deletions
@@ -1,3 +1,9 @@ +2009-11-19 + + * libsylph/ssl.c + src/sslmanager.c: calculate and display SHA1/MD5 fingerprint + if verification of SSL certificate failed. + 2009-11-16 * version 3.0.0beta2 diff --git a/libsylph/ssl.c b/libsylph/ssl.c index e9ac2f24..a22998ab 100644 --- a/libsylph/ssl.c +++ b/libsylph/ssl.c @@ -274,6 +274,10 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) if ((server_cert = SSL_get_peer_certificate(sockinfo->ssl)) != NULL) { gchar *str; glong verify_result; + guchar keyid[EVP_MAX_MD_SIZE]; + gchar keyidstr[EVP_MAX_MD_SIZE * 3 + 1] = ""; + guint keyidlen = 0; + gint i; debug_print(_("Server certificate:\n")); @@ -286,6 +290,18 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method) debug_print(_(" Issuer: %s\n"), str); OPENSSL_free(str); } + if (X509_digest(server_cert, EVP_sha1(), keyid, &keyidlen)) { + for (i = 0; i < keyidlen; i++) + g_snprintf(keyidstr + i * 3, 4, "%02x:", keyid[i]); + keyidstr[keyidlen * 3 - 1] = '\0'; + debug_print(" SHA1 fingerprint: %s\n", keyidstr); + } + if (X509_digest(server_cert, EVP_md5(), keyid, &keyidlen)) { + for (i = 0; i < keyidlen; i++) + g_snprintf(keyidstr + i * 3, 4, "%02x:", keyid[i]); + keyidstr[keyidlen * 3 - 1] = '\0'; + debug_print(" MD5 fingerprint: %s\n", keyidstr); + } verify_result = SSL_get_verify_result(sockinfo->ssl); if (verify_result == X509_V_OK) { diff --git a/src/sslmanager.c b/src/sslmanager.c index eaed7786..8459cdf3 100644 --- a/src/sslmanager.c +++ b/src/sslmanager.c @@ -51,6 +51,11 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname, const gchar *title; gchar *message; gchar *subject, *issuer; + guchar keyid[EVP_MAX_MD_SIZE]; + gchar sha1_keyidstr[EVP_MAX_MD_SIZE * 3 + 1] = ""; + gchar md5_keyidstr[EVP_MAX_MD_SIZE * 3 + 1] = ""; + guint keyidlen = 0; + gint i; gint result; if (verify_result == X509_V_OK) @@ -61,16 +66,35 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname, subject = X509_NAME_oneline(X509_get_subject_name(server_cert), NULL, 0); issuer = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0); + if (X509_digest(server_cert, EVP_sha1(), keyid, &keyidlen)) { + for (i = 0; i < keyidlen; i++) + g_snprintf(sha1_keyidstr + i * 3, 4, "%02x:", keyid[i]); + sha1_keyidstr[keyidlen * 3 - 1] = '\0'; + } else { + g_snprintf(sha1_keyidstr, sizeof(sha1_keyidstr), + "(cannot calculate digest)"); + } + if (X509_digest(server_cert, EVP_md5(), keyid, &keyidlen)) { + for (i = 0; i < keyidlen; i++) + g_snprintf(md5_keyidstr + i * 3, 4, "%02x:", keyid[i]); + md5_keyidstr[keyidlen * 3 - 1] = '\0'; + } else { + g_snprintf(md5_keyidstr, sizeof(md5_keyidstr), + "(cannot calculate digest)"); + } message = g_strdup_printf (_("The SSL certificate of %s cannot be verified by the following reason:\n" " %s\n\n" "Server certificate:\n" " Subject: %s\n" " Issuer: %s\n\n" + " SHA1 fingerprint: %s\n" + " MD5 fingerprint: %s\n\n" "Do you accept this certificate?"), hostname, X509_verify_cert_error_string(verify_result), subject ? subject : "(unknown)", - issuer ? issuer : "(unknown)"); + issuer ? issuer : "(unknown)", + sha1_keyidstr, md5_keyidstr); if (issuer) OPENSSL_free(issuer); if (subject) |