From 8e7071b1c96a34ea71467759c6a6dbcec5fce7ad Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Wed, 5 Jul 2023 10:36:02 +0200
Subject: [PATCH] Allow exception for not yet activated certificates

The browsers let you add an exception for this case, so we should as
well.
---
 common/rfb/CSecurityTLS.cxx | 46 ++++++++++++++++++++++++++++++++++---
 1 file changed, 43 insertions(+), 3 deletions(-)

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 735bdb6c..49c3c818 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -289,6 +289,7 @@ void CSecurityTLS::checkSession()
   const unsigned allowed_errors = GNUTLS_CERT_INVALID |
 				  GNUTLS_CERT_SIGNER_NOT_FOUND |
 				  GNUTLS_CERT_SIGNER_NOT_CA |
+				  GNUTLS_CERT_NOT_ACTIVATED |
 				  GNUTLS_CERT_EXPIRED;
   unsigned int status;
   const gnutls_datum_t *cert_list;
@@ -314,9 +315,6 @@ void CSecurityTLS::checkSession()
   if (status & GNUTLS_CERT_REVOKED)
     throw AuthFailureException("server certificate has been revoked");
 
-  if (status & GNUTLS_CERT_NOT_ACTIVATED)
-    throw AuthFailureException("server certificate has not been activated");
-
   if (status & GNUTLS_CERT_EXPIRED) {
     vlog.debug("server certificate has expired");
     if (!msg->showMsgBox(UserMsgBox::M_YESNO, "certificate has expired",
@@ -362,6 +360,8 @@ void CSecurityTLS::checkSession()
     vlog.debug("server cert signer not found");
   if (status & GNUTLS_CERT_SIGNER_NOT_CA)
     vlog.debug("server cert signer not CA");
+  if (status & GNUTLS_CERT_NOT_ACTIVATED)
+    vlog.debug("server certificate has not yet been activated");
   if (status & GNUTLS_CERT_EXPIRED)
     vlog.debug("server certificate has expired");
 
@@ -441,6 +441,25 @@ void CSecurityTLS::checkSession()
                   GNUTLS_CERT_SIGNER_NOT_CA);
     }
 
+    if (status & GNUTLS_CERT_NOT_ACTIVATED) {
+      text = format("This certificate is not yet valid:\n"
+                    "\n"
+                    "%s\n"
+                    "\n"
+                    "Someone could be trying to impersonate the site "
+                    "and you should not continue.\n"
+                    "\n"
+                    "Do you want to make an exception for this "
+                    "server?", info.data);
+
+      if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+                           "Certificate is not yet valid",
+                           text.c_str()))
+        throw AuthFailureException("Certificate is not yet valid");
+
+      status &= ~GNUTLS_CERT_NOT_ACTIVATED;
+    }
+
     if (status & GNUTLS_CERT_EXPIRED) {
       text = format("This certificate has expired:\n"
                     "\n"
@@ -495,6 +514,27 @@ void CSecurityTLS::checkSession()
                   GNUTLS_CERT_SIGNER_NOT_CA);
     }
 
+    if (status & GNUTLS_CERT_NOT_ACTIVATED) {
+      text = format("This host is previously known with a different "
+                    "certificate, and the new certificate is not yet "
+                    "valid:\n"
+                    "\n"
+                    "%s\n"
+                    "\n"
+                    "Someone could be trying to impersonate the site "
+                    "and you should not continue.\n"
+                    "\n"
+                    "Do you want to make an exception for this "
+                    "server?", info.data);
+
+      if (!msg->showMsgBox(UserMsgBox::M_YESNO,
+                           "Unexpected server certificate",
+                           text.c_str()))
+        throw AuthFailureException("Unexpected server certificate");
+
+      status &= ~GNUTLS_CERT_NOT_ACTIVATED;
+    }
+
     if (status & GNUTLS_CERT_EXPIRED) {
       text = format("This host is previously known with a different "
                     "certificate, and the new certificate has "
-- 
2.39.5