From 81a55052707d460a7f437b664682817c2c99dce6 Mon Sep 17 00:00:00 2001 From: fiaxh Date: Thu, 31 Dec 2020 19:00:54 +0100 Subject: Allow certificates from unknown CAs from .onion domains It's barely possible for .onion servers to provide a non-self-signed cert. But that's fine because encryption is provided independently though TOR. see #958 --- libdino/src/service/connection_manager.vala | 14 +++++++++++++- libdino/src/service/registration.vala | 16 ++++++++++++---- 2 files changed, 25 insertions(+), 5 deletions(-) (limited to 'libdino/src') diff --git a/libdino/src/service/connection_manager.vala b/libdino/src/service/connection_manager.vala index 40cd21d4..3ea6386b 100644 --- a/libdino/src/service/connection_manager.vala +++ b/libdino/src/service/connection_manager.vala @@ -196,7 +196,9 @@ public class ConnectionManager : Object { connection_directly_retry[account] = false; change_connection_state(account, ConnectionState.CONNECTING); - stream_result = yield Xmpp.establish_stream(account.bare_jid, module_manager.get_modules(account, resource), log_options); + stream_result = yield Xmpp.establish_stream(account.bare_jid, module_manager.get_modules(account, resource), log_options, + (_, peer_cert, errors) => { return on_invalid_certificate(account.domainpart, peer_cert, errors); } + ); connections[account].stream = stream_result.stream; connection_ongoing[account] = false; @@ -368,6 +370,16 @@ public class ConnectionManager : Object { connection_errors[account] = error; connection_error(account, error); } + + public static bool on_invalid_certificate(string domain, TlsCertificate peer_cert, TlsCertificateFlags errors) { + if (domain.has_suffix(".onion") && errors == TlsCertificateFlags.UNKNOWN_CA) { + // It's barely possible for .onion servers to provide a non-self-signed cert. + // But that's fine because encryption is provided independently though TOR. + warning("Accepting TLS certificate from unknown CA from .onion address %s", domain); + return true; + } + return false; + } } } diff --git a/libdino/src/service/registration.vala b/libdino/src/service/registration.vala index b4377b98..dc9ed95c 100644 --- a/libdino/src/service/registration.vala +++ b/libdino/src/service/registration.vala @@ -29,7 +29,9 @@ public class Register : StreamInteractionModule, Object{ list.add(new Iq.Module()); list.add(new Sasl.Module(account.bare_jid.to_string(), account.password)); - XmppStreamResult stream_result = yield Xmpp.establish_stream(account.bare_jid.domain_jid, list, Application.print_xmpp); + XmppStreamResult stream_result = yield Xmpp.establish_stream(account.bare_jid.domain_jid, list, Application.print_xmpp, + (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(account.domainpart, peer_cert, errors); } + ); if (stream_result.stream == null) { if (stream_result.tls_errors != null) { @@ -80,7 +82,9 @@ public class Register : StreamInteractionModule, Object{ Gee.List list = new ArrayList(); list.add(new Iq.Module()); - XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp); + XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp, + (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(jid.domainpart, peer_cert, errors); } + ); if (stream_result.stream == null) { if (stream_result.io_error != null) { @@ -125,7 +129,9 @@ public class Register : StreamInteractionModule, Object{ list.add(new Iq.Module()); list.add(new Xep.InBandRegistration.Module()); - XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp); + XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp, + (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(jid.domainpart, peer_cert, errors); } + ); if (stream_result.stream == null) { return null; @@ -169,7 +175,9 @@ public class Register : StreamInteractionModule, Object{ list.add(new Iq.Module()); list.add(new Xep.InBandRegistration.Module()); - XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp); + XmppStreamResult stream_result = yield Xmpp.establish_stream(jid.domain_jid, list, Application.print_xmpp, + (_, peer_cert, errors) => { return ConnectionManager.on_invalid_certificate(jid.domainpart, peer_cert, errors); } + ); if (stream_result.stream == null) { return null; -- cgit v1.2.3-70-g09d2