{
const unsigned allowed_errors = GNUTLS_CERT_INVALID |
GNUTLS_CERT_SIGNER_NOT_FOUND |
- GNUTLS_CERT_SIGNER_NOT_CA;
+ GNUTLS_CERT_SIGNER_NOT_CA |
+ GNUTLS_CERT_EXPIRED;
unsigned int status;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
vlog.debug("server cert signer not found");
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
vlog.debug("server cert signer not CA");
+ if (status & GNUTLS_CERT_EXPIRED)
+ vlog.debug("server certificate has expired");
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
throw AuthFailureException("The server certificate uses an insecure algorithm");
vlog.debug("Server host not previously known");
vlog.debug("%s", info.data);
- text.format("This certificate has been signed by an unknown "
- "authority:\n\n%s\n\nSomeone could be trying to "
- "impersonate the site and you should not "
- "continue.\n\nDo you want to make an exception "
- "for this server?", info.data);
+ if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND |
+ GNUTLS_CERT_SIGNER_NOT_CA)) {
+ text.format("This certificate has been signed by an unknown "
+ "authority:\n\n%s\n\nSomeone could be trying to "
+ "impersonate the site and you should not "
+ "continue.\n\nDo you want to make an exception "
+ "for this server?", info.data);
+
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+ "Unknown certificate issuer",
+ text.buf))
+ throw AuthFailureException("Unknown certificate issuer");
+ }
+
+ if (status & GNUTLS_CERT_EXPIRED) {
+ text.format("This certificate has expired:\n\n%s\n\nSomeone "
+ "could be trying to impersonate the site and you "
+ "should not continue.\n\nDo you want to make an "
+ "exception for this server?", info.data);
- if (!msg->showMsgBox(UserMsgBox::M_YESNO,
- "Unknown certificate issuer",
- text.buf))
- throw AuthFailureException("Unknown certificate issuer");
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+ "Expired certificate",
+ text.buf))
+ throw AuthFailureException("Expired certificate");
+ }
} else if (err == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) {
CharArray text;
vlog.debug("Server host key mismatch");
vlog.debug("%s", info.data);
- text.format("This host is previously known with a different "
- "certificate, and the new certificate has been "
- "signed by an unknown authority:\n\n%s\n\nSomeone "
- "could be trying to impersonate the site and you "
- "should not continue.\n\nDo you want to make an "
- "exception for this server?", info.data);
+ if (status & (GNUTLS_CERT_SIGNER_NOT_FOUND |
+ GNUTLS_CERT_SIGNER_NOT_CA)) {
+ text.format("This host is previously known with a different "
+ "certificate, and the new certificate has been "
+ "signed by an unknown authority:\n\n%s\n\nSomeone "
+ "could be trying to impersonate the site and you "
+ "should not continue.\n\nDo you want to make an "
+ "exception for this server?", info.data);
+
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+ "Unexpected server certificate",
+ text.buf))
+ throw AuthFailureException("Unexpected server certificate");
+ }
- if (!msg->showMsgBox(UserMsgBox::M_YESNO,
- "Unexpected server certificate",
- text.buf))
- throw AuthFailureException("Unexpected server certificate");
+ if (status & GNUTLS_CERT_EXPIRED) {
+ text.format("This host is previously known with a different "
+ "certificate, and the new certificate has expired:"
+ "\n\n%s\n\nSomeone could be trying to impersonate "
+ "the site and you should not continue.\n\nDo you "
+ "want to make an exception for this server?",
+ info.data);
+
+ if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+ "Unexpected server certificate",
+ text.buf))
+ throw AuthFailureException("Unexpected server certificate");
+ }
}
if (gnutls_store_pubkey(dbPath.buf, NULL, client->getServerName(),
projects / tigervnc.git / commitdiff