diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2024-06-17 22:27:17 +0100 |
|---|---|---|
| committer | fiaxh <fiaxh@users.noreply.github.com> | 2024-06-29 11:54:08 +0200 |
| commit | f55b27716a50e80c4eb0661ea3ec284ec559fc5b (patch) | |
| tree | 3d02dc635ef43d87548396993b9d7b09dd6a90dc /plugins/http-files/src/file_provider.vala | |
| parent | da4ded964f122ffef194d3f7d7cf7fd0fd71d8cf (diff) | |
| download | dino-f55b27716a50e80c4eb0661ea3ec284ec559fc5b.tar.gz dino-f55b27716a50e80c4eb0661ea3ec284ec559fc5b.zip | |
Allow self-signed .onion file transfer certs (#1149)
Most Certificate Authorities don't support issuing X.509 certificates for onion
sites. However, it can still be useful to provide a certificate over Tor in
some circumstances, for instance to tie your alphanumeric Tor address to your
site's main identity.
Therefore, many Tor services provide self-signed certificates. This is OK,
since the onion service itself guarantees that you are connecting to the entity
you think you are.
Dino already allows self-signed certs when communicating over Tor (see
81a5505). However, the same exception does not exist yet for HTTP uploads and
downloads - causing these to fail over Tor.
Therefore, in this commit, we add the same exception for uploads/downloads, by
passing the host of the upload/download urls to the already existing invalid
certificate connection handler.
Note that this handler only allows certificates with type
TlsCertificateFlags.UNKNOWN_CA. This means the certificate of your server must
also include the onion http upload and download URLs in its certificate -
otherwise, the file transfer will fail with TlsCertificateFlags.BAD_IDENTITY.
Diffstat (limited to 'plugins/http-files/src/file_provider.vala')
| -rw-r--r-- | plugins/http-files/src/file_provider.vala | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/plugins/http-files/src/file_provider.vala b/plugins/http-files/src/file_provider.vala index 34c3a48a..d62e3561 100644 --- a/plugins/http-files/src/file_provider.vala +++ b/plugins/http-files/src/file_provider.vala @@ -120,6 +120,11 @@ public class FileProvider : Dino.FileProvider, Object { var head_message = new Soup.Message("HEAD", http_receive_data.url); head_message.request_headers.append("Accept-Encoding", "identity"); +#if SOUP_3_0 + string transfer_host = Uri.parse(http_receive_data.url, UriFlags.NONE).get_host(); + head_message.accept_certificate.connect((peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(transfer_host, peer_cert, errors); }); +#endif + try { #if SOUP_3_0 yield session.send_async(head_message, GLib.Priority.LOW, null); @@ -153,6 +158,11 @@ public class FileProvider : Dino.FileProvider, Object { var get_message = new Soup.Message("GET", http_receive_data.url); +#if SOUP_3_0 + string transfer_host = Uri.parse(http_receive_data.url, UriFlags.NONE).get_host(); + get_message.accept_certificate.connect((peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(transfer_host, peer_cert, errors); }); +#endif + try { #if SOUP_3_0 InputStream stream = yield session.send_async(get_message, GLib.Priority.LOW, file_transfer.cancellable); |