Commit 527ceeb8 authored by Philipp Hörist's avatar Philipp Hörist

HTTPUpload: Respect cert store

parent c93e6a91
......@@ -69,6 +69,17 @@ def add_certificate(self, certificate):
self._on_certificate_write_finished,
path)
def verify(self, certificate, tls_errors):
if Gio.TlsCertificateFlags.UNKNOWN_CA in tls_errors:
for trusted_certificate in self._certs:
if trusted_certificate.is_same(certificate):
tls_errors.remove(Gio.TlsCertificateFlags.UNKNOWN_CA)
break
if not tls_errors:
return True
return False
@staticmethod
def _on_certificate_write_finished(data, error, path):
if data is None:
......
......@@ -21,7 +21,6 @@
from nbxmpp.const import ConnectionType
from gi.repository import GLib
from gi.repository import Gio
from gajim.common import passwords
from gajim.common.nec import NetworkEvent
......@@ -36,6 +35,7 @@
from gajim.common.helpers import get_user_proxy
from gajim.common.helpers import warn_about_plain_connection
from gajim.common.helpers import get_resource
from gajim.common.helpers import get_ignored_ssl_errors
from gajim.common.i18n import _
from gajim.common.connection_handlers import ConnectionHandlers
......@@ -140,7 +140,8 @@ def _create_client(self):
self._client.set_accepted_certificates(
app.cert_store.get_certificates())
self._client.set_ignored_tls_errors(self._get_ignored_ssl_errors())
self._client.set_ignored_tls_errors(
get_ignored_ssl_errors(self._account))
if app.config.get_per('accounts', self._account,
'use_plain_connection'):
......@@ -161,11 +162,6 @@ def _create_client(self):
self._register_new_handlers()
def _get_ignored_ssl_errors(self):
ignore_ssl_errors = app.config.get_per(
'accounts', self.name, 'ignore_ssl_errors').split()
return {Gio.TlsCertificateFlags(int(err)) for err in ignore_ssl_errors}
def process_ssl_errors(self):
if not self._ssl_errors:
self.connect(ignore_all_errors=True)
......
......@@ -346,7 +346,6 @@ class Config:
'ft_send_local_ips': [opt_bool, True, _('If enabled, Gajim will send your local IP so your contact can connect to your machine for file transfers.')],
'opened_chat_controls': [opt_str, '', _('List of XMPP Addresses (space separated) for which the chat window will be re-opened on next startup.')],
'recent_groupchats': [opt_str, ''],
'httpupload_verify': [opt_bool, True, _('HTTP File Upload: Enable HTTPS Verification.')],
'filetransfer_preference' : [opt_str, 'httpupload', _('Preferred file transfer mechanism for file drag&drop on a chat window. Can be \'httpupload\' (default) or \'jingle\'.')],
'allow_posh': [opt_bool, True, _('Allow certificate verification with POSH.')],
}, {}),
......
......@@ -1764,3 +1764,9 @@ def warn_about_plain_connection(account, connection_types):
if type_.is_plain and warn:
return True
return False
def get_ignored_ssl_errors(account):
ignore_ssl_errors = app.config.get_per(
'accounts', account, 'ignore_ssl_errors').split()
return {Gio.TlsCertificateFlags(int(err)) for err in ignore_ssl_errors}
......@@ -22,6 +22,7 @@
from nbxmpp import NS_HTTPUPLOAD_0
from nbxmpp.util import is_error_result
from nbxmpp.util import convert_tls_error_flags
from gi.repository import GLib
from gi.repository import Soup
......@@ -218,23 +219,21 @@ def _upload_file(self, transfer):
self._session.queue_message(message, self._on_finish, transfer)
def _check_certificate(self, message):
https_used, _tls_certificate, tls_errors = message.get_https_status()
https_used, tls_certificate, tls_errors = message.get_https_status()
if not https_used:
self._log.warning('HTTPS was not used for upload')
self._session.cancel_message(message, Soup.Status.CANCELLED)
return
if not app.config.get_per('accounts',
self._account,
'httpupload_verify'):
tls_errors = convert_tls_error_flags(tls_errors)
if app.cert_store.verify(tls_certificate, tls_errors):
return
if tls_errors:
phrase = get_tls_error_phrase(tls_errors)
for error in tls_errors:
phrase = get_tls_error_phrase(error)
self._log.warning('TLS verification failed: %s', phrase)
self._session.cancel_message(message, Soup.Status.CANCELLED)
self._raise_information_event('httpupload-error', phrase)
return
self._session.cancel_message(message, Soup.Status.CANCELLED)
self._raise_information_event('httpupload-error', phrase)
def _on_finish(self, _session, message, transfer):
self._queued_messages.pop(id(transfer), None)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment