dirmngr,gpg: Better diagnostic in case of bad TLS certificates.

* doc/DETAILS: Specify new status code "NOTE". * dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a bad TLS certificate. * g10/call-dirmngr.c (ks_status_cb): Detect this status. -- For example a gpg -v --locate-external-keys dd9jn@posteo.net now yields gpg: Note: server uses an invalid certificate gpg: (further info: bad cert for 'posteo.net': \ Hostname does not match the certificate) gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name gpg: error reading key: Wrong name (without -v the "further info" line is not shown). Note that even after years Posteo is not able to provide a valid certificate for their .net addresses. Anyway, this help to show the feature. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2019-11-18 18:23:04 +01:00 · 2019-11-18 18:23:04 +01:00 · 3efc94f1eb
commit 3efc94f1eb
parent 4dd5099125
3 changed files with 36 additions and 7 deletions
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@ -78,6 +78,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
  estream_t fp = NULL;
  char *request_buffer = NULL;
  parsed_uri_t uri = NULL;
+  parsed_uri_t helpuri = NULL;

  err = http_parse_uri (&uri, url, 0);
  if (err)
@ -134,9 +135,25 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
    }
  if (err)
    {
-      /* Fixme: After a redirection we show the old host name.  */
      log_error (_("error connecting to '%s': %s\n"),
                 url, gpg_strerror (err));
+      if (gpg_err_code (err) == GPG_ERR_WRONG_NAME
+          && gpg_err_source (err) == GPG_ERR_SOURCE_TLS)
+        {
+          const char *errhostname;
+
+          http_release_parsed_uri (helpuri);
+          if (http_parse_uri (&helpuri, url, 0))
+            errhostname = url; /* On parse error we use the full URL. */
+          else
+            errhostname = helpuri->host? helpuri->host : "?";
+
+          dirmngr_status_printf (ctrl, "NOTE",
+                                 "tls_cert_error %u"
+                                 " bad cert for '%s': %s",
+                                 err, errhostname,
+                                 "Hostname does not match the certificate");
+        }
      goto leave;
    }

@ -203,5 +220,6 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
  http_session_release (session);
  xfree (request_buffer);
  http_release_parsed_uri (uri);
+  http_release_parsed_uri (helpuri);
  return err;
 }