Allow exception for weak certificate algorithms

The browsers let you add an exception for this case, so we should as
well.

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 08b45da6e3c645c4795f7b4213d41d750c1a2b00..6bdf720af8e1dc33d6e89faaec49b4e6b408420e 100644 (file)
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -290,7 +290,8 @@ void CSecurityTLS::checkSession()
                                  GNUTLS_CERT_SIGNER_NOT_FOUND |
                                  GNUTLS_CERT_SIGNER_NOT_CA |
                                  GNUTLS_CERT_NOT_ACTIVATED |
-                                 GNUTLS_CERT_EXPIRED;
+                                 GNUTLS_CERT_EXPIRED |
+                                 GNUTLS_CERT_INSECURE_ALGORITHM;
   unsigned int status;
   const gnutls_datum_t *cert_list;
   unsigned int cert_list_size = 0;
@@ -356,9 +357,8 @@ void CSecurityTLS::checkSession()
     vlog.debug("server certificate has not yet been activated");
   if (status & GNUTLS_CERT_EXPIRED)
     vlog.debug("server certificate has expired");
-
   if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
-    throw AuthFailureException("The server certificate uses an insecure algorithm");
+    vlog.debug("server certificate uses an insecure algorithm");
 
   if ((status & (~allowed_errors)) != 0) {
     /* No other errors are allowed */
@@ -471,6 +471,25 @@ void CSecurityTLS::checkSession()
       status &= ~GNUTLS_CERT_EXPIRED;
     }
 
+    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+      text = format("This certificate uses an insecure algorithm:\n"
+                    "\n"
+                    "%s\n"
+                    "\n"
+                    "Someone could be trying to impersonate the site "
+                    "and you should not continue.\n"
+                    "\n"
+                    "Do you want to make an exception for this "
+                    "server?", info.data);
+
+      if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+                           "Insecure certificate algorithm",
+                           text.c_str()))
+        throw AuthFailureException("Insecure certificate algorithm");
+
+      status &= ~GNUTLS_CERT_INSECURE_ALGORITHM;
+    }
+
     if (status != 0) {
       vlog.error("Unhandled certificate problems: 0x%x", status);
       throw AuthFailureException("Unhandled certificate problems");
@@ -548,6 +567,27 @@ void CSecurityTLS::checkSession()
       status &= ~GNUTLS_CERT_EXPIRED;
     }
 
+    if (status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+      text = format("This host is previously known with a different "
+                    "certificate, and the new certificate uses an "
+                    "insecure algorithm:\n"
+                    "\n"
+                    "%s\n"
+                    "\n"
+                    "Someone could be trying to impersonate the site "
+                    "and you should not continue.\n"
+                    "\n"
+                    "Do you want to make an exception for this "
+                    "server?", info.data);
+
+      if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+                           "Unexpected server certificate",
+                           text.c_str()))
+        throw AuthFailureException("Unexpected server certificate");
+
+      status &= ~GNUTLS_CERT_INSECURE_ALGORITHM;
+    }
+
     if (status != 0) {
       vlog.error("Unhandled certificate problems: 0x%x", status);
       throw AuthFailureException("Unhandled certificate problems");