I had forgotten about this patch, but it is a useful one and I
reckon it should be applied (or rebuked, if appropriate). It still
applies fine against the current tip ("with fuzz").
Quoth Nick:
> Quoth Markus Teich:
> > > I recently wrote a patch that printed useful debug info about SSL failures,
> > > but it got lost when mailman went down and I haven't re-sent it yet. I'll try
> > > to remember to send it to the list tonight.
> >
> > That could be very helpful. I'm looking forward to it.
>
> It's attached. It was against the trunk a week or so ago, but
> probably still applies ;)
>
> Incidentally, does anyone have any thoughts about the best ways to
> display this sort of extra status information? stderr is fine in a
> pinch, but in general I don't run my surf sessions from a terminal
> so most of the time it'd be non-trivial to fetch the output.
>
> Oh, and note I'm not sure whether it'll print the ssl failure output
> if you have sslstrict on - I haven't tested but it may well abort
> the connection before surf gets a hold of it.
>
> Nick
> From cfe99acb2382bf9b141042e406bce654e4b9a8be Mon Sep 17 00:00:00 2001
> From: Nick White <git_AT_njw.me.uk>
> Date: Mon, 3 Feb 2014 17:02:43 +0000
> Subject: [PATCH] Print certificate errors on stderr
>
> ---
> surf.c | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
> diff --git a/surf.c b/surf.c
> index e967672..14de226 100644
> --- a/surf.c
> +++ b/surf.c
> _AT_@ -69,6 +69,21 @@ typedef struct {
> SoupCookieJarTextClass parent_class;
> } CookieJarClass;
>
> +typedef struct {
> + int flag;
> + char *errstr;
> +} TlsError;
> +
> +static TlsError tlserrors[] = {
> + { G_TLS_CERTIFICATE_UNKNOWN_CA, "The signing certificate authority is not known." },
> + { G_TLS_CERTIFICATE_BAD_IDENTITY, "The certificate does not match the expected identity of the site that it was retrieved from." },
> + { G_TLS_CERTIFICATE_NOT_ACTIVATED, "The certificate's activation time is still in the future." },
> + { G_TLS_CERTIFICATE_EXPIRED, "The certificate has expired." },
> + { G_TLS_CERTIFICATE_REVOKED, "The certificate has been revoked." },
> + { G_TLS_CERTIFICATE_INSECURE, "The certificate's algorithm is considered insecure." },
> + { G_TLS_CERTIFICATE_GENERIC_ERROR, "A general error occurred validating the certificate." },
> +};
> +
> G_DEFINE_TYPE(CookieJar, cookiejar, SOUP_TYPE_COOKIE_JAR_TEXT)
>
> static Display *dpy;
> _AT_@ -630,7 +645,13 @@ loadstatuschange(WebKitWebView *view, GParamSpec *pspec, Client *c) {
> WebKitWebDataSource *src;
> WebKitNetworkRequest *request;
> SoupMessage *msg;
> + SoupSession *session;
> + GTlsCertificate *cert;
> + GTlsCertificateFlags flags;
> char *uri;
> + char *cut_uri;
> + char *s;
> + int i;
>
> switch(webkit_web_view_get_load_status (c->view)) {
> case WEBKIT_LOAD_COMMITTED:
> _AT_@ -642,6 +663,28 @@ loadstatuschange(WebKitWebView *view, GParamSpec *pspec, Client *c) {
> msg = webkit_network_request_get_message(request);
> c->sslfailed = !(soup_message_get_flags(msg)
> & SOUP_MESSAGE_CERTIFICATE_TRUSTED);
> + if(c->sslfailed) {
> + /* For some reason the https status can't be got from webkit's soup msg,
> + * so we make a dummy connection to the server's homepage here. */
> + cut_uri = g_strdup(uri);
> + s = cut_uri;
> + for (i = 0; i < 3; ++i) {
> + s = strchr(&(s[1]), '/');
> + }
> + s[1] = '\0';
> + msg = soup_message_new("HEAD", uri);
> + soup_message_set_flags(msg, SOUP_MESSAGE_NO_REDIRECT);
> + session = webkit_get_default_session();
> + soup_session_send_message(session, msg);
> +
> + soup_message_get_https_status(msg, &cert, &flags);
> +
> + for(i = 0; i < LENGTH(tlserrors); i++) {
> + if(flags & tlserrors[i].flag) {
> + fprintf(stderr, "%s - %s\n", uri, tlserrors[i].errstr);
> + }
> + }
> + }
> }
> setatom(c, AtomUri, uri);
> break;
> --
> 1.7.10.4
>
Received on Mon Apr 27 2015 - 16:06:48 CEST