1
0
Fork 0

Add option to trust server's certificate

New tls policy "trust" added to /connect and /account. With the policy
TLS connection is established even with invalid certificate. Note, that
trust policy forces TLS connection and it fails when server doesn't
support TLS.

Examples:
 /connect <jid> tls trust
 /account <name> set tls trust
This commit is contained in:
Dmitry Podgorny 2018-11-06 14:01:27 +02:00
parent 671849c711
commit 7f65aaa9a2
6 changed files with 12 additions and 2 deletions

View File

@ -17,6 +17,7 @@
- Adjust configure for OpenBSD
- Use UUIDs instead of counter for messages
- Support basic ad-hoc commands(xep-0050) (/command)
- Add option to trust server's certificate (/connect, /account)
- Bug fixes: https://github.com/boothj5/profanity/milestone/16?closed=1
0.5.1

View File

@ -582,6 +582,7 @@ cmd_ac_init(void)
tls_property_ac = autocomplete_new();
autocomplete_add(tls_property_ac, "force");
autocomplete_add(tls_property_ac, "allow");
autocomplete_add(tls_property_ac, "trust");
autocomplete_add(tls_property_ac, "legacy");
autocomplete_add(tls_property_ac, "disable");

View File

@ -158,7 +158,7 @@ static struct cmd_t command_defs[] =
CMD_TAG_CONNECTION)
CMD_SYN(
"/connect [<account>]",
"/connect <account> [server <server>] [port <port>] [tls force|allow|legacy|disable]")
"/connect <account> [server <server>] [port <port>] [tls force|allow|trust|legacy|disable]")
CMD_DESC(
"Login to a chat service. "
"If no account is specified, the default is used if one is configured. "
@ -169,6 +169,7 @@ static struct cmd_t command_defs[] =
{ "port <port>", "The port to use if different to the default (5222, or 5223 for SSL)." },
{ "tls force", "Force TLS connection, and fail if one cannot be established, this is default behaviour." },
{ "tls allow", "Use TLS for the connection if it is available." },
{ "tls trust", "Force TLS connection and trust server's certificate." },
{ "tls legacy", "Use legacy TLS for the connection. It means server doesn't support STARTTLS and TLS is forced just after TCP connection is established." },
{ "tls disable", "Disable TLS for the connection." })
CMD_EXAMPLES(
@ -2014,7 +2015,7 @@ static struct cmd_t command_defs[] =
"/account set <account> otr <policy>",
"/account set <account> pgpkeyid <pgpkeyid>",
"/account set <account> startscript <script>",
"/account set <account> tls force|allow|legacy|disable",
"/account set <account> tls force|allow|trust|legacy|disable",
"/account set <account> theme <theme>",
"/account clear <account> password",
"/account clear <account> eval_password",
@ -2054,6 +2055,7 @@ static struct cmd_t command_defs[] =
{ "set <account> startscript <script>", "Set the script to execute after connecting." },
{ "set <account> tls force", "Force TLS connection, and fail if one cannot be established, this is default behaviour." },
{ "set <account> tls allow", "Use TLS for the connection if it is available." },
{ "set <account> tls trust", "Force TLS connection and trust server's certificate." },
{ "set <account> tls legacy", "Use legacy TLS for the connection. It means server doesn't support STARTTLS and TLS is forced just after TCP connection is established." },
{ "set <account> tls disable", "Disable TLS for the connection." },
{ "set <account> <theme>", "Set the UI theme for the account." },

View File

@ -351,6 +351,7 @@ cmd_connect(ProfWin *window, const char *const command, gchar **args)
if (tls_policy &&
(g_strcmp0(tls_policy, "force") != 0) &&
(g_strcmp0(tls_policy, "allow") != 0) &&
(g_strcmp0(tls_policy, "trust") != 0) &&
(g_strcmp0(tls_policy, "disable") != 0) &&
(g_strcmp0(tls_policy, "legacy") != 0)) {
cons_bad_cmd_usage(command);
@ -815,6 +816,7 @@ _account_set_tls(char *account_name, char *policy)
{
if ((g_strcmp0(policy, "force") != 0)
&& (g_strcmp0(policy, "allow") != 0)
&& (g_strcmp0(policy, "trust") != 0)
&& (g_strcmp0(policy, "disable") != 0)
&& (g_strcmp0(policy, "legacy") != 0)) {
cons_show("TLS policy must be one of: force, allow, legacy or disable.");

View File

@ -291,6 +291,7 @@ accounts_get_account(const char *const name)
gchar *tls_policy = g_key_file_get_string(accounts, name, "tls.policy", NULL);
if (tls_policy && ((g_strcmp0(tls_policy, "force") != 0) &&
(g_strcmp0(tls_policy, "allow") != 0) &&
(g_strcmp0(tls_policy, "trust") != 0) &&
(g_strcmp0(tls_policy, "disable") != 0) &&
(g_strcmp0(tls_policy, "legacy") != 0))) {
g_free(tls_policy);

View File

@ -150,6 +150,9 @@ connection_connect(const char *const jid, const char *const passwd, const char *
if (!tls_policy || (g_strcmp0(tls_policy, "force") == 0)) {
xmpp_conn_set_flags(conn.xmpp_conn, XMPP_CONN_FLAG_MANDATORY_TLS);
} else if (g_strcmp0(tls_policy, "trust") == 0) {
xmpp_conn_set_flags(conn.xmpp_conn, XMPP_CONN_FLAG_MANDATORY_TLS);
xmpp_conn_set_flags(conn.xmpp_conn, XMPP_CONN_FLAG_TRUST_TLS);
} else if (g_strcmp0(tls_policy, "disable") == 0) {
xmpp_conn_set_flags(conn.xmpp_conn, XMPP_CONN_FLAG_DISABLE_TLS);
} else if (g_strcmp0(tls_policy, "legacy") == 0) {