Let users retry connection in case of error. Especially SSL error.

Also verify ssl certificates by default. It has some weak points, for example in load_uri not always data is a session.
2025-01-03 14:57:44 -05:00 · 2017-07-23 14:33:40 +02:00 · 2017-07-23 14:33:40 +02:00 · f43f5714e8
commit f43f5714e8
parent b1d1e4a15b
7 changed files with 45 additions and 8 deletions
--- a/src/network/connection.c
+++ b/src/network/connection.c
@ -1019,6 +1019,7 @@ load_uri(struct uri *uri, struct uri *referrer, struct download *download,
 	if (download) {
 		download->progress = conn->progress;
 		download->conn = conn;
+		conn->socket->verify = ((struct session *)download->data)->verify;
 		download->cached = NULL;
 		download->state = connection_state(S_OK);
 		add_to_list(conn->downloads, download);
--- a/src/network/socket.c
+++ b/src/network/socket.c
@ -146,6 +146,7 @@ init_socket(void *conn, struct socket_operations *ops)
 	socket->fd = -1;
 	socket->conn = conn;
 	socket->ops = ops;
+	socket->verify = 1;

 	return socket;
 }
--- a/src/network/socket.h
+++ b/src/network/socket.h
@ -99,6 +99,7 @@ struct socket {
 	unsigned int no_tls:1;		/* Internal SSL flag. */
 	unsigned int set_no_tls:1;	/* Was the blacklist checked yet? */
 	unsigned int duplex:1;		/* Allow simultaneous reads & writes. */
+	unsigned int verify:1;		/* Whether to verify certificates */
 };

 #define EL_PF_INET	0
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@ -374,7 +374,7 @@ ssl_want_read(struct socket *socket)
 	switch (ssl_do_connect(socket)) {
 		case SSL_ERROR_NONE:
 #ifdef CONFIG_GNUTLS
-			if (get_opt_bool("connection.ssl.cert_verify", NULL)
+			if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL)
 			    && verify_certificates(socket)) {
 				socket->ops->retry(socket, connection_state(S_SSL_ERROR));
 				return;
@ -428,7 +428,7 @@ ssl_connect(struct socket *socket)
 #ifdef USE_OPENSSL
 	SSL_set_fd(socket->ssl, socket->fd);

-	if (get_opt_bool("connection.ssl.cert_verify", NULL))
+	if (socket->verify && get_opt_bool("connection.ssl.cert_verify", NULL))
 		SSL_set_verify(socket->ssl, SSL_VERIFY_PEER
 					  | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			       verify_callback);
@ -490,7 +490,7 @@ ssl_connect(struct socket *socket)

 		case SSL_ERROR_NONE:
 #ifdef CONFIG_GNUTLS
-			if (!get_opt_bool("connection.ssl.cert_verify", NULL))
+			if (!socket->verify || !get_opt_bool("connection.ssl.cert_verify", NULL))
 				break;

 			if (!verify_certificates(socket))
@ -502,7 +502,6 @@ ssl_connect(struct socket *socket)
 				/* DBG("sslerr %s", gnutls_strerror(ret)); */
 				socket->no_tls = !socket->no_tls;
 			}
-
 			connect_socket(socket, connection_state(S_SSL_ERROR));
 			return -1;
 	}
--- a/src/network/ssl/ssl.c
+++ b/src/network/ssl/ssl.c
@ -114,7 +114,7 @@ done_openssl(struct module *module)

 static union option_info openssl_options[] = {
 	INIT_OPT_BOOL("connection.ssl", N_("Verify certificates"),
-		"cert_verify", 0, 0,
+		"cert_verify", 0, 1,
 		N_("Verify the peer's SSL certificate. Note that this "
 		"needs extensive configuration of OpenSSL by the user.")),

--- a/src/session/session.c
+++ b/src/session/session.c
@ -257,6 +257,19 @@ get_current_download(struct session *ses)
 	return download;
 }

+static void
+retry_connection_without_verification(void *data)
+{
+	struct delayed_open *deo = (struct delayed_open *)data;
+
+	if (deo) {
+		deo->ses->verify = 0;
+		goto_uri(deo->ses, deo->uri);
+		done_uri(deo->uri);
+		mem_free(deo);
+	}
+}
+
 void
 print_error_dialog(struct session *ses, struct connection_state state,
 		   struct uri *uri, enum connection_priority priority)
@ -286,9 +299,27 @@ print_error_dialog(struct session *ses, struct connection_state state,

 	add_to_string(&msg, get_state_message(state, ses->tab->term));

-	info_box(ses->tab->term, MSGBOX_FREE_TEXT,
-		 N_("Error"), ALIGN_CENTER,
-		 msg.source);
+	if (!ses->verify || !uri) {
+		info_box(ses->tab->term, MSGBOX_FREE_TEXT,
+		N_("Error"), ALIGN_CENTER,
+		msg.source);
+	} else {
+		struct delayed_open *deo = mem_calloc(1, sizeof(*deo));
+
+		if (!deo) return;
+
+		add_to_string(&msg, "\n\n");
+		add_to_string(&msg, N_("Retry without verification?"));
+		deo->ses = ses;
+		deo->uri = get_uri_reference(uri);
+
+		msg_box(ses->tab->term, NULL, MSGBOX_FREE_TEXT,
+		N_("Error"), ALIGN_CENTER,
+		msg.source,
+		deo, 2,
+		MSG_BOX_BUTTON(N_("~Yes"), retry_connection_without_verification, B_ENTER),
+		MSG_BOX_BUTTON(N_("~No"), NULL, B_ESC));
+	}

 	/* TODO: retry */
 }
@ -888,6 +919,8 @@ init_session(struct session *base_session, struct terminal *term,
 		return NULL;
 	}

+	ses->verify = 1;
+
 	ses->option = copy_option(config_options,
 	                          CO_SHALLOW | CO_NO_LISTBOX_ITEM);
 	create_history(&ses->history);
--- a/src/session/session.h
+++ b/src/session/session.h
@ -229,6 +229,8 @@ struct session {
 	/** The info for status displaying */
 	struct session_status status;

+	/** Verify SSL */
+	unsigned int verify:1;
 	/** @} */
 };