Allow certificates from unknown CAs from .onion domains

It's barely possible for .onion servers to provide a non-self-signed cert. But that's fine because encryption is provided independently though TOR. see #958
author: fiaxh <git@lightrise.org> 2020-12-31 19:00:54 +0100
committer: fiaxh <git@lightrise.org> 2020-12-31 19:04:02 +0100
commit: 81a55052707d460a7f437b664682817c2c99dce6 (patch)
tree: 0d2b184a98d5a62d47beb2a4a09a13a4ea6e12a4 /libdino
parent: 99e98ac8d97296b0a34351d3bc8b155b0c8fc6db (diff)
download: dino-81a55052707d460a7f437b664682817c2c99dce6.tar.gz
dino-81a55052707d460a7f437b664682817c2c99dce6.zip
2 files changed, 25 insertions, 5 deletions
diff --git a/libdino/src/service/connection_manager.vala b/libdino/src/service/connection_manager.vala
index 40cd21d4..3ea6386b 100644
--- a/libdino/src/service/connection_manager.vala
+++ b/libdino/src/service/connection_manager.vala
@@ -196,7 +196,9 @@ public class ConnectionManager : Object {
             connection_directly_retry[account] = false;
 
             change_connection_state(account, ConnectionState.CONNECTING);
-            stream_result = yield Xmpp.establish_stream(account.bare_jid, module_manager.get_modules(account, resource), log_options);
+            stream_result = yield Xmpp.establish_stream(account.bare_jid, module_manager.get_modules(account, resource), log_options,
+                    (_, peer_cert, errors) => { return on_invalid_certificate(account.domainpart, peer_cert, errors); }
+            );
             connections[account].stream = stream_result.stream;
 
             connection_ongoing[account] = false;
@@ -368,6 +370,16 @@ public class ConnectionManager : Object {
         connection_errors[account] = error;
         connection_error(account, error);
     }
+
+    public static bool on_invalid_certificate(string domain, TlsCertificate peer_cert, TlsCertificateFlags errors) {
+        if (domain.has_suffix(".onion") && errors == TlsCertificateFlags.UNKNOWN_CA) {
+            // It's barely possible for .onion servers to provide a non-self-signed cert.
+            // But that's fine because encryption is provided independently though TOR.
+            warning("Accepting TLS certificate from unknown CA from .onion address %s", domain);
+            return true;
+        }
+        return false;
+    }
 }
 
 }
diff --git a/libdino/src/service/registration.vala b/libdino/src/service/registration.vala
index b4377b98..dc9ed95c 100644
--- a/libdino/src/service/registration.vala
+++ b/libdino/src/service/registration.vala
@@ -29,7 +29,9 @@ public class Register : StreamInteractionModule, Object{
         list.add(new Iq.Module());
         list.add(new Sasl.Module(account.bare_jid.to_string(), account.password));
 
-        XmppStreamResult stream_result = yield Xmpp.establish_stream(account.bare_jid.domain_jid, list, Application.print_xmpp);
+        XmppStreamResult stream_result = yield Xmpp.establish_stream(account.bare_jid.domain_jid, list, Application.print_xmpp,
+                (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(account.domainpart, peer_cert, errors); }
+        );
 
         if (stream_result.stream == null) {
             if (stream_result.tls_errors != null) {
@@ -80,7 +82,9 @@ public class Register : StreamInteractionModule, Object{
         Gee.List<XmppStreamModule> list = new ArrayList<XmppStreamModule>();
         list.add(new Iq.Module());
 
-        XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp);
+        XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp,
+                (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(jid.domainpart, peer_cert, errors); }
+        );
 
         if (stream_result.stream == null) {
             if (stream_result.io_error != null) {
@@ -125,7 +129,9 @@ public class Register : StreamInteractionModule, Object{
         list.add(new Iq.Module());
         list.add(new Xep.InBandRegistration.Module());
 
-        XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp);
+        XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp,
+                (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(jid.domainpart, peer_cert, errors); }
+        );
 
         if (stream_result.stream == null) {
             return null;
@@ -169,7 +175,9 @@ public class Register : StreamInteractionModule, Object{
         list.add(new Iq.Module());
         list.add(new Xep.InBandRegistration.Module());
 
-        XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp);
+        XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp,
+                (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(jid.domainpart, peer_cert, errors); }
+        );
 
         if (stream_result.stream == null) {
             return null;
author	fiaxh <git@lightrise.org>	2020-12-31 19:00:54 +0100
committer	fiaxh <git@lightrise.org>	2020-12-31 19:04:02 +0100
commit	81a55052707d460a7f437b664682817c2c99dce6 (patch)
tree	0d2b184a98d5a62d47beb2a4a09a13a4ea6e12a4 /libdino
parent	99e98ac8d97296b0a34351d3bc8b155b0c8fc6db (diff)
download	dino-81a55052707d460a7f437b664682817c2c99dce6.tar.gz dino-81a55052707d460a7f437b664682817c2c99dce6.zip