From e43e5e30517498ec070b568a7d91edb942779d63 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Fri, 1 Sep 2017 11:15:31 +0200
Subject: [PATCH] Add better error message for insecure certificate algorithms

---
 common/rfb/CSecurityTLS.cxx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/common/rfb/CSecurityTLS.cxx b/common/rfb/CSecurityTLS.cxx
index 8a053e3d..58423fbf 100644
--- a/common/rfb/CSecurityTLS.cxx
+++ b/common/rfb/CSecurityTLS.cxx
@@ -332,6 +332,9 @@ void CSecurityTLS::checkSession()
   if (status & GNUTLS_CERT_SIGNER_NOT_CA)
     vlog.debug("server cert signer not CA");
 
+  if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
+    throw AuthFailureException("The server certificate uses an insecure algorithm");
+
   if ((status & (~allowed_errors)) != 0) {
     /* No other errors are allowed */
     vlog.debug("GNUTLS status of certificate verification: %u", status);
-- 
2.39.5