pidgin: 143b76f5: Add a debug log message when MD5 is used...

darkrain42 at pidgin.im darkrain42 at pidgin.im
Tue Jul 21 02:50:35 EDT 2009 

-----------------------------------------------------------------
Revision: 143b76f58d972c4684d6d833fd85b68501344d47
Ancestor: 73a88ac85b97264c19b9a9966270eecd310b6bff
Author: darkrain42 at pidgin.im
Date: 2009-07-21T05:33:43
Branch: im.pidgin.pidgin
URL: http://d.pidgin.im/viewmtn/revision/info/143b76f58d972c4684d6d833fd85b68501344d47

Modified files:
        libpurple/plugins/ssl/ssl-gnutls.c

ChangeLog: 

Add a debug log message when MD5 is used in a verification chain. Refs #4458.

Adding a warning for end-users isn't going to be helpful in my opinion,
but if someone can come up with a short, clear, and accurate message to
convey this information to a user (who then needs to convey it to a
server operator), I'm all ears.

-------------- next part --------------
============================================================
--- libpurple/plugins/ssl/ssl-gnutls.c	90bd5f2b85d722c537f6e0366325527c0116f861
+++ libpurple/plugins/ssl/ssl-gnutls.c	03b805a4df31b78b6c854829c6429af50302fc2a
@@ -668,6 +668,8 @@ x509_certificate_signed_by(PurpleCertifi
 	gnutls_x509_crt issuer_dat;
 	unsigned int verify; /* used to store result from GnuTLS verifier */
 	int ret;
+	gchar *crt_id = NULL;
+	gchar *issuer_id = NULL;
 
 	g_return_val_if_fail(crt, FALSE);
 	g_return_val_if_fail(issuer, FALSE);
@@ -728,13 +730,29 @@ x509_certificate_signed_by(PurpleCertifi
 		return FALSE;
 	}
 
+	if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) {
+		/*
+		 * A certificate in the chain is signed with an insecure
+		 * algorithm. Put a warning into the log to make this error
+		 * perfectly clear as soon as someone looks at the debug log is
+		 * generated.
+		 */
+		crt_id = purple_certificate_get_unique_id(crt);
+		issuer_id = purple_certificate_get_issuer_unique_id(crt);
+		purple_debug_warning("gnutls/x509",
+				"Insecure hash algorithm used by %s to sign %s\n",
+				issuer_id, crt_id);
+	}
+
 	if (verify & GNUTLS_CERT_INVALID) {
 		/* Signature didn't check out, but at least
 		   there were no errors*/
-		gchar *crt_id = purple_certificate_get_unique_id(crt);
-		gchar *issuer_id = purple_certificate_get_issuer_unique_id(crt);
-		purple_debug_info("gnutls/x509",
-				  "Bad signature for %s on %s\n",
+		if (!crt_id)
+			crt_id = purple_certificate_get_unique_id(crt);
+		if (!issuer_id)
+			issuer_id = purple_certificate_get_issuer_unique_id(crt);
+		purple_debug_error("gnutls/x509",
+				  "Bad signature from %s on %s\n",
 				  issuer_id, crt_id);
 		g_free(crt_id);
 		g_free(issuer_id);

More information about the Commits mailing list