1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-06-15 23:35:34 +00:00

Let users retry connection in case of error. Especially SSL error.

Also verify ssl certificates by default.
It has some weak points, for example in load_uri not always data
is a session.
This commit is contained in:
Witold Filipczyk 2017-07-23 14:33:40 +02:00
parent b1d1e4a15b
commit f43f5714e8
7 changed files with 45 additions and 8 deletions

View File

@ -1019,6 +1019,7 @@ load_uri(struct uri *uri, struct uri *referrer, struct download *download,
if (download) {
download->progress = conn->progress;
download->conn = conn;
conn->socket->verify = ((struct session *)download->data)->verify;
download->cached = NULL;
download->state = connection_state(S_OK);
add_to_list(conn->downloads, download);

View File

@ -146,6 +146,7 @@ init_socket(void *conn, struct socket_operations *ops)
socket->fd = -1;
socket->conn = conn;
socket->ops = ops;
socket->verify = 1;
return socket;
}

View File

@ -99,6 +99,7 @@ struct socket {
unsigned int no_tls:1; /* Internal SSL flag. */
unsigned int set_no_tls:1; /* Was the blacklist checked yet? */
unsigned int duplex:1; /* Allow simultaneous reads & writes. */
unsigned int verify:1; /* Whether to verify certificates */
};
#define EL_PF_INET 0

View File

@ -374,7 +374,7 @@ ssl_want_read(struct socket *socket)
switch (ssl_do_connect(socket)) {
case SSL_ERROR_NONE:
#ifdef CONFIG_GNUTLS
if (get_opt_bool("connection.ssl.cert_verify", NULL)
if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL)
&& verify_certificates(socket)) {
socket->ops->retry(socket, connection_state(S_SSL_ERROR));
return;
@ -428,7 +428,7 @@ ssl_connect(struct socket *socket)
#ifdef USE_OPENSSL
SSL_set_fd(socket->ssl, socket->fd);
if (get_opt_bool("connection.ssl.cert_verify", NULL))
if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL))
SSL_set_verify(socket->ssl, SSL_VERIFY_PEER
| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
@ -490,7 +490,7 @@ ssl_connect(struct socket *socket)
case SSL_ERROR_NONE:
#ifdef CONFIG_GNUTLS
if (!get_opt_bool("connection.ssl.cert_verify", NULL))
if (!socket->verify || !get_opt_bool("connection.ssl.cert_verify", NULL))
break;
if (!verify_certificates(socket))
@ -502,7 +502,6 @@ ssl_connect(struct socket *socket)
/* DBG("sslerr %s", gnutls_strerror(ret)); */
socket->no_tls = !socket->no_tls;
}
connect_socket(socket, connection_state(S_SSL_ERROR));
return -1;
}

View File

@ -114,7 +114,7 @@ done_openssl(struct module *module)
static union option_info openssl_options[] = {
INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
"cert_verify", 0, 0,
"cert_verify", 0, 1,
N_("Verify the peer's SSL certificate. Note that this "
"needs extensive configuration of OpenSSL by the user.")),

View File

@ -257,6 +257,19 @@ get_current_download(struct session *ses)
return download;
}
static void
retry_connection_without_verification(void *data)
{
struct delayed_open *deo = (struct delayed_open *)data;
if (deo) {
deo->ses->verify = 0;
goto_uri(deo->ses, deo->uri);
done_uri(deo->uri);
mem_free(deo);
}
}
void
print_error_dialog(struct session *ses, struct connection_state state,
struct uri *uri, enum connection_priority priority)
@ -286,9 +299,27 @@ print_error_dialog(struct session *ses, struct connection_state state,
add_to_string(&msg, get_state_message(state, ses->tab->term));
info_box(ses->tab->term, MSGBOX_FREE_TEXT,
N_("Error"), ALIGN_CENTER,
msg.source);
if (!ses->verify || !uri) {
info_box(ses->tab->term, MSGBOX_FREE_TEXT,
N_("Error"), ALIGN_CENTER,
msg.source);
} else {
struct delayed_open *deo = mem_calloc(1, sizeof(*deo));
if (!deo) return;
add_to_string(&msg, "\n\n");
add_to_string(&msg, N_("Retry without verification?"));
deo->ses = ses;
deo->uri = get_uri_reference(uri);
msg_box(ses->tab->term, NULL, MSGBOX_FREE_TEXT,
N_("Error"), ALIGN_CENTER,
msg.source,
deo, 2,
MSG_BOX_BUTTON(N_("~Yes"), retry_connection_without_verification, B_ENTER),
MSG_BOX_BUTTON(N_("~No"), NULL, B_ESC));
}
/* TODO: retry */
}
@ -888,6 +919,8 @@ init_session(struct session *base_session, struct terminal *term,
return NULL;
}
ses->verify = 1;
ses->option = copy_option(config_options,
CO_SHALLOW | CO_NO_LISTBOX_ITEM);
create_history(&ses->history);

View File

@ -229,6 +229,8 @@ struct session {
/** The info for status displaying */
struct session_status status;
/** Verify SSL */
unsigned int verify:1;
/** @} */
};