From 98f45250734fc7a2826753a143d7c37fc522f604 Mon Sep 17 00:00:00 2001 From: Vincent Sanders Date: Sat, 10 Aug 2019 12:50:23 +0100 Subject: [PATCH] add common name ssl certificate error This adds an ssl faliure code and explanation why curl fetcher does not currently set it. --- content/fetchers/curl.c | 19 ++++++++++++++++--- include/netsurf/ssl_certs.h | 1 + utils/messages.c | 5 +++++ 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index 345f16ce1..db41b32cb 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -1180,9 +1180,22 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode result) */ ; } else if (result == CURLE_SSL_PEER_CERTIFICATE || - result == CURLE_SSL_CACERT) { - /* CURLE_SSL_PEER_CERTIFICATE renamed to - * CURLE_PEER_FAILED_VERIFICATION + result == CURLE_SSL_CACERT) { + /* + * curl in 7.63.0 (https://github.com/curl/curl/pull/3291) + * unified *all* SSL errors into the single + * CURLE_PEER_FAILED_VERIFICATION depricating + * CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT + * + * This change complete removed the ability to + * distinguish between certificate errors, host + * verification errors or any other failure reason + * using the curl result code. + * + * The result is when certificate error message is + * sent there is currently no way of informing the + * llcache about host verification faliures as the + * certificate chain has no error codes set. */ cert = true; } else { diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h index a73dc604c..c77c2996d 100644 --- a/include/netsurf/ssl_certs.h +++ b/include/netsurf/ssl_certs.h @@ -38,6 +38,7 @@ typedef enum { SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */ SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */ SSL_CERT_ERR_REVOKED, /**< This certificate has been revoked */ + SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh server */ } ssl_cert_err; /** diff --git a/utils/messages.c b/utils/messages.c index 29443f99e..c4a7959cf 100644 --- a/utils/messages.c +++ b/utils/messages.c @@ -382,6 +382,11 @@ const char *messages_get_sslcode(ssl_cert_err code) case SSL_CERT_ERR_REVOKED: /* This certificate has been revoked */ return messages_get_ctx("SSLCertErrRevoked", messages_hash); + + case SSL_CERT_ERR_COMMON_NAME: + /* Common name is invalid */ + return messages_get_ctx("SSLCertErrCommonName", messages_hash); + } /* The switch has no default, so the compiler should tell us when we