Allow certificates from unknown CAs from .onion domains

It's barely possible for .onion servers to provide a non-self-signed cert. But that's fine because encryption is provided independently though TOR.

see #958

1 files changed, 7 insertions, 4 deletions

diff --git a/xmpp-vala/src/core/direct_tls_xmpp_stream.vala b/xmpp-vala/src/core/direct_tls_xmpp_stream.vala
index 1d2f7339..1c262598 100644
--- a/xmpp-vala/src/core/direct_tls_xmpp_stream.vala
+++ b/xmpp-vala/src/core/direct_tls_xmpp_stream.vala
@@ -2,11 +2,13 @@ public class Xmpp.DirectTlsXmppStream : TlsXmppStream {
 
     string host;
     uint16 port;
+    TlsXmppStream.OnInvalidCert on_invalid_cert_outer;
 
-    public DirectTlsXmppStream(Jid remote, string host, uint16 port) {
-        this.remote_name = remote;
+    public DirectTlsXmppStream(Jid remote_name, string host, uint16 port, TlsXmppStream.OnInvalidCert on_invalid_cert) {
+        base(remote_name);
         this.host = host;
         this.port = port;
+        this.on_invalid_cert_outer = on_invalid_cert;
     }
 
     public override async void connect() throws IOStreamError {
@@ -15,10 +17,11 @@ public class Xmpp.DirectTlsXmppStream : TlsXmppStream {
             debug("Connecting to %s %i (tls)", host, port);
             IOStream? io_stream = yield client.connect_to_host_async(host, port);
             TlsConnection tls_connection = TlsClientConnection.new(io_stream, new NetworkAddress(remote_name.to_string(), port));
-            #if ALPN_SUPPORT
+#if ALPN_SUPPORT
             tls_connection.set_advertised_protocols(new string[]{"xmpp-client"});
-            #endif
+#endif
             tls_connection.accept_certificate.connect(on_invalid_certificate);
+            tls_connection.accept_certificate.connect(on_invalid_cert_outer);
             reset_stream(tls_connection);
 
             yield setup();