Changeset 792a93b


Ignore:
Timestamp:
2011-12-23T12:44:08Z (7 years ago)
Author:
Wilmer van der Gaast <wilmer@…>
Branches:
master
Children:
200e151
Parents:
2d93a51e (diff), 41658da (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.
Message:

Merging SSL certificate verification for GnuTLS, with help from AopicieR.

Files:
15 edited

Legend:

Unmodified
Added
Removed
  • bitlbee.conf

    r2d93a51e r792a93b  
    116116## (Obviously, the username and password are optional)
    117117##
    118 ## Proxy = http://john:doe@proxy.localnet.com:8080
    119 ## Proxy = socks4://socksproxy.localnet.com
    120 ## Proxy = socks5://socksproxy.localnet.com
     118# Proxy = http://john:doe@proxy.localnet.com:8080
     119# Proxy = socks4://socksproxy.localnet.com
     120# Proxy = socks5://socksproxy.localnet.com
    121121
    122122## Protocols offered by bitlbee
     
    126126## nothing is given, there are no restrictions.
    127127##
    128 ## Protocols = jabber yahoo
     128# Protocols = jabber yahoo
    129129
     130## Trusted CAs
     131##
     132## Path to a file containing a list of trusted certificate authorities used in
     133## the verification of server certificates.
     134##
     135## Uncomment this and make sure the file actually exists and contains all
     136## certificate authorities you're willing to accept (default value should
     137## work on at least Debian/Ubuntu systems with the "ca-certificates" package
     138## installed). As long as the line is commented out, SSL certificate
     139## verification is completely disabled.
     140##
     141## The location of this file may be different on other distros/OSes. For
     142## example, try /etc/ssl/ca-bundle.pem on OpenSUSE.
     143##
     144# CAfile = /etc/ssl/certs/ca-certificates.crt
    130145
    131146[defaults]
  • conf.c

    r2d93a51e r792a93b  
    6767        conf->ft_listen = NULL;
    6868        conf->protocols = NULL;
     69        conf->cafile = NULL;
    6970        proxytype = 0;
    7071       
     
    177178                fprintf( stderr, "Warning: Unable to read configuration file `%s'.\n", global.conf_file );
    178179       
     180        if( conf->cafile && access( conf->cafile, R_OK ) != 0 )
     181        {
     182                /* Let's treat this as a serious problem so people won't think
     183                   they're secure when in fact they're not. */
     184                fprintf( stderr, "Error: Could not read CA file %s: %s\n", conf->cafile, strerror( errno ) );
     185                return NULL;
     186        }
     187       
    179188        return conf;
    180189}
     
    340349                                conf->protocols = g_strsplit_set( ini->value, " \t,;", -1 );
    341350                        }
     351                        else if( g_strcasecmp( ini->key, "cafile" ) == 0 )
     352                        {
     353                                g_free( conf->cafile );
     354                                conf->cafile = g_strdup( ini->value );
     355                        }
    342356                        else
    343357                        {
  • conf.h

    r2d93a51e r792a93b  
    5454        char *ft_listen;
    5555        char **protocols;
     56        char *cafile;
    5657} conf_t;
    5758
  • doc/user-guide/commands.xml

    r2d93a51e r792a93b  
    13921392                <description>
    13931393                        <para>
    1394                                 Currently only available for Jabber connections. Set this to true if the server accepts SSL connections.
     1394                                Currently only available for Jabber connections. Set this to true if you want to connect to the server on an SSL-enabled port (usually 5223).
     1395                        </para>
     1396
     1397                        <para>
     1398                                Please note that this method of establishing a secure connection to the server has long been deprecated. You are encouraged to look at the <emphasis>tls</emphasis> setting instead.
    13951399                        </para>
    13961400                </description>
     
    14811485                        <para>
    14821486                                If you want to force BitlBee to use TLS sessions only (and to give up if that doesn't seem to be possible) you can set this setting to <emphasis>true</emphasis>. Set it to <emphasis>false</emphasis> if you want the session to remain plain-text.
     1487                        </para>
     1488                </description>
     1489        </bitlbee-setting>
     1490
     1491        <bitlbee-setting name="tls_verify" type="boolean" scope="account">
     1492                <default>true</default>
     1493
     1494                <description>
     1495                        <para>
     1496                                Currently only available for Jabber connections in combination with the <emphasis>tls</emphasis> setting. Set this to <emphasis>true</emphasis> if you want BitlBee to strictly verify the server's certificate against a list of trusted certificate authorities.
     1497                        </para>
     1498
     1499                        <para>
     1500                                The hostname used in the certificate verification is the value of the <emphasis>server</emphasis> setting if the latter is nonempty and the domain of the username else. If you get a hostname related error when connecting to Google Talk with a username from the gmail.com or googlemail.com domain, please try to empty the <emphasis>server</emphasis> setting.
     1501                        </para>
     1502
     1503                        <para>
     1504                                Please note that no certificate verification is performed when the <emphasis>ssl</emphasis> setting is used, or when the <emphasis>CAfile</emphasis> setting in <emphasis>bitlbee.conf</emphasis> is not set.
    14831505                        </para>
    14841506                </description>
  • lib/http_client.c

    r2d93a51e r792a93b  
    3333
    3434static gboolean http_connected( gpointer data, int source, b_input_condition cond );
    35 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond );
     35static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond );
    3636static gboolean http_incoming_data( gpointer data, int source, b_input_condition cond );
    3737static void http_free( struct http_request *req );
     
    4747        if( ssl )
    4848        {
    49                 req->ssl = ssl_connect( host, port, http_ssl_connected, req );
     49                req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req );
    5050                if( req->ssl == NULL )
    5151                        error = 1;
     
    163163       
    164164error:
    165         req->status_string = g_strdup( "Error while writing HTTP request" );
     165        if( req->status_string == NULL )
     166                req->status_string = g_strdup( "Error while writing HTTP request" );
    166167       
    167168        req->func( req );
     
    170171}
    171172
    172 static gboolean http_ssl_connected( gpointer data, void *source, b_input_condition cond )
     173static gboolean http_ssl_connected( gpointer data, int returncode, void *source, b_input_condition cond )
    173174{
    174175        struct http_request *req = data;
    175176       
    176177        if( source == NULL )
     178        {
     179                if( returncode != 0 )
     180                {
     181                        char *err = ssl_verify_strerror( returncode );
     182                        req->status_string = g_strdup_printf(
     183                                "Certificate verification problem 0x%x: %s",
     184                                returncode, err ? err : "Unknown" );
     185                        g_free( err );
     186                }
    177187                return http_connected( data, -1, cond );
     188        }
    178189       
    179190        req->fd = ssl_getfd( source );
     
    439450                if( new_proto == PROTO_HTTPS )
    440451                {
    441                         req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req );
     452                        req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req );
    442453                        if( req->ssl == NULL )
    443454                                error = 1;
  • lib/ssl_bogus.c

    r2d93a51e r792a93b  
    3232}
    3333
    34 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     34void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    3535{
    3636        return( NULL );
     
    5656}
    5757
    58 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     58void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    5959{
    6060        return NULL;
     
    7070        return 0;
    7171}
     72
     73char *ssl_verify_strerror( int code )
     74{
     75        return NULL;
     76}
  • lib/ssl_client.h

    r2d93a51e r792a93b  
    3737/* Some generic error codes. Especially SSL_AGAIN is important if you
    3838   want to do asynchronous I/O. */
     39#define NSS_VERIFY_ERROR -2
     40#define OPENSSL_VERIFY_ERROR -1
    3941#define SSL_OK            0
    4042#define SSL_NOHANDSHAKE   1
    4143#define SSL_AGAIN         2
     44#define VERIFY_CERT_ERROR 2
     45#define VERIFY_CERT_INVALID 4
     46#define VERIFY_CERT_REVOKED 8
     47#define VERIFY_CERT_SIGNER_NOT_FOUND 16
     48#define VERIFY_CERT_SIGNER_NOT_CA 32
     49#define VERIFY_CERT_INSECURE_ALGORITHM 64
     50#define VERIFY_CERT_NOT_ACTIVATED 128
     51#define VERIFY_CERT_EXPIRED 256
     52#define VERIFY_CERT_WRONG_HOSTNAME 512
    4253
    4354extern int ssl_errno;
    4455
    4556/* This is what your callback function should look like. */
    46 typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition);
     57typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition);
    4758
    4859
     
    5364   ready to be used for SSL traffic. This is all done asynchronously, no
    5465   blocking I/O! (Except for the DNS lookups, for now...) */
    55 G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data );
     66G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data );
    5667
    5768/* Start an SSL session on an existing fd. Useful for STARTTLS functionality,
    5869   for example in Jabber. */
    59 G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data );
     70G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data );
    6071
    6172/* Obviously you need special read/write functions to read data. */
     
    90101G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
    91102
     103/* Converts a verification bitfield passed to ssl_input_function into
     104   a more useful string. Or NULL if it had no useful bits set. */
     105G_MODULE_EXPORT char *ssl_verify_strerror( int code );
     106
    92107G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);
  • lib/ssl_gnutls.c

    r2d93a51e r792a93b  
    2525
    2626#include <gnutls/gnutls.h>
     27#include <gnutls/x509.h>
    2728#include <gcrypt.h>
    2829#include <fcntl.h>
     
    3233#include "sock.h"
    3334#include "stdlib.h"
     35#include "bitlbee.h"
    3436
    3537int ssl_errno = 0;
     
    5456        gboolean established;
    5557        int inpa;
     58        char *hostname;
     59        gboolean verify;
    5660       
    5761        gnutls_session session;
     
    7478}
    7579
    76 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     80void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    7781{
    7882        struct scd *conn = g_new0( struct scd, 1 );
     
    8286        conn->data = data;
    8387        conn->inpa = -1;
     88        conn->hostname = g_strdup( host );
     89        conn->verify = verify && global.conf->cafile;
    8490       
    8591        if( conn->fd < 0 )
     
    9298}
    9399
    94 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     100void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    95101{
    96102        struct scd *conn = g_new0( struct scd, 1 );
     
    100106        conn->data = data;
    101107        conn->inpa = -1;
     108        conn->hostname = hostname;
     109       
     110        /* For now, SSL verification is globally enabled by setting the cafile
     111           setting in bitlbee.conf. Commented out by default because probably
     112           not everyone has this file in the same place and plenty of folks
     113           may not have the cert of their private Jabber server in it. */
     114        conn->verify = verify && global.conf->cafile;
    102115       
    103116        /* This function should be called via a (short) timeout instead of
     
    122135}
    123136
     137static int verify_certificate_callback( gnutls_session_t session )
     138{
     139        unsigned int status;
     140        const gnutls_datum_t *cert_list;
     141        unsigned int cert_list_size;
     142        int gnutlsret;
     143        int verifyret = 0;
     144        gnutls_x509_crt_t cert;
     145        const char *hostname;
     146       
     147        hostname = gnutls_session_get_ptr(session );
     148
     149        gnutlsret = gnutls_certificate_verify_peers2( session, &status );
     150        if( gnutlsret < 0 )
     151                return VERIFY_CERT_ERROR;
     152
     153        if( status & GNUTLS_CERT_INVALID )
     154                verifyret |= VERIFY_CERT_INVALID;
     155
     156        if( status & GNUTLS_CERT_REVOKED )
     157                verifyret |= VERIFY_CERT_REVOKED;
     158
     159        if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
     160                verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
     161
     162        if( status & GNUTLS_CERT_SIGNER_NOT_CA )
     163                verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
     164
     165        if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
     166                verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
     167
     168        if( status & GNUTLS_CERT_NOT_ACTIVATED )
     169                verifyret |= VERIFY_CERT_NOT_ACTIVATED;
     170
     171        if( status & GNUTLS_CERT_EXPIRED )
     172                verifyret |= VERIFY_CERT_EXPIRED;
     173
     174        /* The following check is already performed inside
     175         * gnutls_certificate_verify_peers2, so we don't need it.
     176
     177         * if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 )
     178         * return GNUTLS_E_CERTIFICATE_ERROR;
     179         */
     180
     181        if( gnutls_x509_crt_init( &cert ) < 0 )
     182                return VERIFY_CERT_ERROR;
     183
     184        cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
     185        if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
     186                return VERIFY_CERT_ERROR;
     187
     188        if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
     189        {
     190                verifyret |= VERIFY_CERT_INVALID;
     191                verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
     192        }
     193
     194        gnutls_x509_crt_deinit( cert );
     195
     196        return verifyret;
     197}
     198
     199char *ssl_verify_strerror( int code )
     200{
     201        GString *ret = g_string_new( "" );
     202       
     203        if( code & VERIFY_CERT_REVOKED )
     204                g_string_append( ret, "certificate has been revoked, " );
     205        if( code & VERIFY_CERT_SIGNER_NOT_FOUND )
     206                g_string_append( ret, "certificate hasn't got a known issuer, " );
     207        if( code & VERIFY_CERT_SIGNER_NOT_CA )
     208                g_string_append( ret, "certificate's issuer is not a CA, " );
     209        if( code & VERIFY_CERT_INSECURE_ALGORITHM )
     210                g_string_append( ret, "certificate uses an insecure algorithm, " );
     211        if( code & VERIFY_CERT_NOT_ACTIVATED )
     212                g_string_append( ret, "certificate has not been activated, " );
     213        if( code & VERIFY_CERT_EXPIRED )
     214                g_string_append( ret, "certificate has expired, " );
     215        if( code & VERIFY_CERT_WRONG_HOSTNAME )
     216                g_string_append( ret, "certificate hostname mismatch, " );
     217       
     218        if( ret->len == 0 )
     219        {
     220                g_string_free( ret, TRUE );
     221                return NULL;
     222        }
     223        else
     224        {
     225                g_string_truncate( ret, ret->len - 2 );
     226                return g_string_free( ret, FALSE );
     227        }
     228}
     229
    124230static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
    125231{
     
    128234        if( source == -1 )
    129235        {
    130                 conn->func( conn->data, NULL, cond );
     236                conn->func( conn->data, 0, NULL, cond );
    131237                g_free( conn );
    132238                return FALSE;
     
    136242       
    137243        gnutls_certificate_allocate_credentials( &conn->xcred );
     244        if( conn->verify && global.conf->cafile )
     245        {
     246                gnutls_certificate_set_x509_trust_file( conn->xcred, global.conf->cafile, GNUTLS_X509_FMT_PEM );
     247                gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
     248        }
     249
    138250        gnutls_init( &conn->session, GNUTLS_CLIENT );
     251        if( conn->verify )
     252                gnutls_session_set_ptr( conn->session, (void *) conn->hostname );
    139253#if GNUTLS_VERSION_NUMBER < 0x020c00
    140254        gnutls_transport_set_lowat( conn->session, 0 );
     
    152266{
    153267        struct scd *conn = data;
    154         int st;
     268        int st, stver;
    155269       
    156270        if( ( st = gnutls_handshake( conn->session ) ) < 0 )
     
    163277                else
    164278                {
    165                         conn->func( conn->data, NULL, cond );
     279                        conn->func( conn->data, 0, NULL, cond );
    166280                       
    167281                        gnutls_deinit( conn->session );
     
    174288        else
    175289        {
    176                 /* For now we can't handle non-blocking perfectly everywhere... */
    177                 sock_make_blocking( conn->fd );
     290                if( conn->verify && ( stver = verify_certificate_callback( conn->session ) ) != 0 )
     291                {
     292                        conn->func( conn->data, stver, NULL, cond );
     293
     294                        gnutls_deinit( conn->session );
     295                        gnutls_certificate_free_credentials( conn->xcred );
     296                        closesocket( conn->fd );
     297
     298                        g_free( conn );
     299                }
     300                else
     301                {
     302                        /* For now we can't handle non-blocking perfectly everywhere... */
     303                        sock_make_blocking( conn->fd );
    178304               
    179                 conn->established = TRUE;
    180                 conn->func( conn->data, conn, cond );
     305                        conn->established = TRUE;
     306                        conn->func( conn->data, 0, conn, cond );
     307                }
    181308        }
    182309       
  • lib/ssl_nss.c

    r2d93a51e r792a93b  
    5252        PRFileDesc *prfd;
    5353        gboolean established;
     54        gboolean verify;
    5455};
    5556
     
    102103}
    103104
    104 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     105void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    105106{
    106107        struct scd *conn = g_new0( struct scd, 1 );
     
    132133}
    133134
    134 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     135void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    135136{
    136137        struct scd *conn = g_new0( struct scd, 1 );
     
    139140        conn->func = func;
    140141        conn->data = data;
     142        conn->verify = verify;
    141143
    142144        /* This function should be called via a (short) timeout instead of
     
    157159{
    158160        struct scd *conn = data;
     161       
     162        /* Right now we don't have any verification functionality for nss so we
     163           fail in case verification has been requested by the user. */
     164
     165        if( conn->verify )
     166        {
     167                conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
     168                if( source >= 0 ) closesocket( source );
     169                g_free( conn );
     170
     171                return FALSE;
     172        }
    159173       
    160174        if( source == -1 )
     
    177191       
    178192        conn->established = TRUE;
    179         conn->func( conn->data, conn, cond );
     193        conn->func( conn->data, 0, conn, cond );
    180194        return FALSE;
    181195       
    182196        ssl_connected_failure:
    183197       
    184         conn->func( conn->data, NULL, cond );
     198        conn->func( conn->data, 0, NULL, cond );
    185199       
    186200        PR_Close( conn -> prfd );
     
    238252        return B_EV_IO_READ;
    239253}
     254
     255char *ssl_verify_strerror( int code )
     256{
     257        return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
     258}
  • lib/ssl_openssl.c

    r2d93a51e r792a93b  
    4545        int fd;
    4646        gboolean established;
     47        gboolean verify;
    4748       
    4849        int inpa;
     
    6465}
    6566
    66 void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
     67void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
    6768{
    6869        struct scd *conn = g_new0( struct scd, 1 );
     
    8283}
    8384
    84 void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
     85void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
    8586{
    8687        struct scd *conn = g_new0( struct scd, 1 );
     
    9091        conn->data = data;
    9192        conn->inpa = -1;
     93        conn->verify = verify;
    9294       
    9395        /* This function should be called via a (short) timeout instead of
     
    117119        SSL_METHOD *meth;
    118120       
     121        /* Right now we don't have any verification functionality for openssl so we
     122           fail in case verification has been requested by the user. */
     123
     124        if( conn->verify )
     125        {
     126                conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond );
     127                if( source >= 0 ) closesocket( source );
     128                g_free( conn );
     129
     130                return FALSE;
     131        }
     132
    119133        if( source == -1 )
    120134                goto ssl_connected_failure;
     
    141155
    142156ssl_connected_failure:
    143         conn->func( conn->data, NULL, cond );
     157        conn->func( conn->data, 0, NULL, cond );
    144158       
    145159        if( conn->ssl )
     
    169183                if( conn->lasterr != SSL_ERROR_WANT_READ && conn->lasterr != SSL_ERROR_WANT_WRITE )
    170184                {
    171                         conn->func( conn->data, NULL, cond );
     185                        conn->func( conn->data, 0, NULL, cond );
    172186                       
    173187                        SSL_shutdown( conn->ssl );
     
    187201        conn->established = TRUE;
    188202        sock_make_blocking( conn->fd );         /* For now... */
    189         conn->func( conn->data, conn, cond );
     203        conn->func( conn->data, 0, conn, cond );
    190204        return FALSE;
    191205}
     
    272286{
    273287        return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ );
     288}
     289
     290char *ssl_verify_strerror( int code )
     291{
     292        return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );
    274293}
    275294
  • protocols/jabber/io.c

    r2d93a51e r792a93b  
    279279}
    280280
    281 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )
     281gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond )
    282282{
    283283        struct im_connection *ic = data;
     
    295295                jd->ssl = NULL;
    296296               
    297                 imcb_error( ic, "Could not connect to server" );
    298                 imc_logout( ic, TRUE );
     297                if( returncode != 0 )
     298                {
     299                        char *err = ssl_verify_strerror( returncode );
     300                        imcb_error( ic, "Certificate verification problem 0x%x: %s",
     301                                    returncode, err ? err : "Unknown" );
     302                        g_free( err );
     303                        imc_logout( ic, FALSE );
     304                }
     305                else
     306                {
     307                        imcb_error( ic, "Could not connect to server" );
     308                        imc_logout( ic, TRUE );
     309                }
     310               
    299311                return FALSE;
    300312        }
     
    400412        struct im_connection *ic = data;
    401413        struct jabber_data *jd = ic->proto_data;
    402         char *xmlns;
     414        char *xmlns, *tlsname;
    403415       
    404416        xmlns = xt_find_attr( node, "xmlns" );
     
    426438       
    427439        jd->flags |= JFLAG_STARTTLS_DONE;
    428         jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic );
     440
     441        /* If the user specified a server for the account, use this server as the
     442         * hostname in the certificate verification. Else we use the domain from
     443         * the username. */
     444        if( ic->acc->server && *ic->acc->server )
     445                tlsname = ic->acc->server;
     446        else
     447                tlsname = jd->server;
     448       
     449        jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ),
     450                                jabber_connected_ssl, ic );
    429451       
    430452        return XT_HANDLED;
  • protocols/jabber/jabber.c

    r2d93a51e r792a93b  
    8080       
    8181        s = set_add( &acc->set, "tls", "try", set_eval_tls, acc );
     82        s->flags |= ACC_SET_OFFLINE_ONLY;
     83       
     84        s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc );
    8285        s->flags |= ACC_SET_OFFLINE_ONLY;
    8386       
     
    233236        if( set_getbool( &acc->set, "ssl" ) )
    234237        {
    235                 jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic );
     238                jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic );
    236239                jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1;
    237240        }
  • protocols/jabber/jabber.h

    r2d93a51e r792a93b  
    309309int jabber_write( struct im_connection *ic, char *buf, int len );
    310310gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond );
    311 gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond );
     311gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond );
    312312gboolean jabber_start_stream( struct im_connection *ic );
    313313void jabber_end_stream( struct im_connection *ic );
  • protocols/msn/soap.c

    r2d93a51e r792a93b  
    6060        struct im_connection *ic;
    6161        int ttl;
     62        char *error;
    6263       
    6364        char *url, *action, *payload;
     
    158159        }
    159160       
     161        if( http_req->status_code != 200 )
     162                soap_req->error = g_strdup( http_req->status_string );
     163       
    160164        st = soap_req->handle_response( soap_req );
    161165
     
    164168        g_free( soap_req->action );
    165169        g_free( soap_req->payload );
    166         soap_req->url = soap_req->action = soap_req->payload = NULL;
     170        g_free( soap_req->error );
     171        soap_req->url = soap_req->action = soap_req->payload = soap_req->error = NULL;
    167172       
    168173        if( st == MSN_SOAP_RETRY && --soap_req->ttl )
     
    253258        g_free( soap_req->action );
    254259        g_free( soap_req->payload );
     260        g_free( soap_req->error );
    255261        g_free( soap_req );
    256262}
     
    410416        if( sd->secret == NULL )
    411417        {
    412                 msn_auth_got_passport_token( ic, NULL, sd->error );
     418                msn_auth_got_passport_token( ic, NULL, sd->error ? sd->error : soap_req->error );
    413419                return MSN_SOAP_OK;
    414420        }
  • protocols/skype/skype.c

    r2d93a51e r792a93b  
    11571157}
    11581158
    1159 gboolean skype_connected(gpointer data, void *source, b_input_condition cond)
     1159gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond)
    11601160{
    11611161        struct im_connection *ic = data;
     
    11851185        imcb_log(ic, "Connecting");
    11861186        sd->ssl = ssl_connect(set_getstr(&acc->set, "server"),
    1187                 set_getint(&acc->set, "port"), skype_connected, ic);
     1187                set_getint(&acc->set, "port"), FALSE, skype_connected, ic);
    11881188        sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1;
    11891189        sd->username = g_strdup(acc->user);
Note: See TracChangeset for help on using the changeset viewer.