From: Pierre Ossman Date: Wed, 5 Jul 2023 08:36:02 +0000 (+0200) Subject: Allow exception for not yet activated certificates X-Git-Tag: v1.13.90~68^2~5 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=8e7071b1c96a34ea71467759c6a6dbcec5fce7ad;p=tigervnc.git Allow exception for not yet activated certificates The browsers let you add an exception for this case, so we should as well. --- diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx index 735bdb6c..49c3c818 100644 --- a/common/rfb/CSecurityTLS.cxx +++ b/common/rfb/CSecurityTLS.cxx @@ -289,6 +289,7 @@ void CSecurityTLS::checkSession() const unsigned allowed_errors = GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA | + GNUTLS_CERT_NOT_ACTIVATED | GNUTLS_CERT_EXPIRED; unsigned int status; const gnutls_datum_t *cert_list; @@ -314,9 +315,6 @@ void CSecurityTLS::checkSession() if (status & GNUTLS_CERT_REVOKED) throw AuthFailureException("server certificate has been revoked"); - if (status & GNUTLS_CERT_NOT_ACTIVATED) - throw AuthFailureException("server certificate has not been activated"); - if (status & GNUTLS_CERT_EXPIRED) { vlog.debug("server certificate has expired"); if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate has expired", @@ -362,6 +360,8 @@ void CSecurityTLS::checkSession() vlog.debug("server cert signer not found"); if (status & GNUTLS_CERT_SIGNER_NOT_CA) vlog.debug("server cert signer not CA"); + if (status & GNUTLS_CERT_NOT_ACTIVATED) + vlog.debug("server certificate has not yet been activated"); if (status & GNUTLS_CERT_EXPIRED) vlog.debug("server certificate has expired"); @@ -441,6 +441,25 @@ void CSecurityTLS::checkSession() GNUTLS_CERT_SIGNER_NOT_CA); } + if (status & GNUTLS_CERT_NOT_ACTIVATED) { + text = format("This certificate is not yet valid:\n" + "\n" + "%s\n" + "\n" + "Someone could be trying to impersonate the site " + "and you should not continue.\n" + "\n" + "Do you want to make an exception for this " + "server?", info.data); + + if (!msg->showMsgBox(UserMsgBox::M_YESNO, + "Certificate is not yet valid", + text.c_str())) + throw AuthFailureException("Certificate is not yet valid"); + + status &= ~GNUTLS_CERT_NOT_ACTIVATED; + } + if (status & GNUTLS_CERT_EXPIRED) { text = format("This certificate has expired:\n" "\n" @@ -495,6 +514,27 @@ void CSecurityTLS::checkSession() GNUTLS_CERT_SIGNER_NOT_CA); } + if (status & GNUTLS_CERT_NOT_ACTIVATED) { + text = format("This host is previously known with a different " + "certificate, and the new certificate is not yet " + "valid:\n" + "\n" + "%s\n" + "\n" + "Someone could be trying to impersonate the site " + "and you should not continue.\n" + "\n" + "Do you want to make an exception for this " + "server?", info.data); + + if (!msg->showMsgBox(UserMsgBox::M_YESNO, + "Unexpected server certificate", + text.c_str())) + throw AuthFailureException("Unexpected server certificate"); + + status &= ~GNUTLS_CERT_NOT_ACTIVATED; + } + if (status & GNUTLS_CERT_EXPIRED) { text = format("This host is previously known with a different " "certificate, and the new certificate has "