diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index 007bbc99d..f55a25774 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -78,6 +78,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, estream_t fp = NULL; char *request_buffer = NULL; parsed_uri_t uri = NULL; + parsed_uri_t helpuri = NULL; err = http_parse_uri (&uri, url, 0); if (err) @@ -134,9 +135,25 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, } if (err) { - /* Fixme: After a redirection we show the old host name. */ log_error (_("error connecting to '%s': %s\n"), url, gpg_strerror (err)); + if (gpg_err_code (err) == GPG_ERR_WRONG_NAME + && gpg_err_source (err) == GPG_ERR_SOURCE_TLS) + { + const char *errhostname; + + http_release_parsed_uri (helpuri); + if (http_parse_uri (&helpuri, url, 0)) + errhostname = url; /* On parse error we use the full URL. */ + else + errhostname = helpuri->host? helpuri->host : "?"; + + dirmngr_status_printf (ctrl, "NOTE", + "tls_cert_error %u" + " bad cert for '%s': %s", + err, errhostname, + "Hostname does not match the certificate"); + } goto leave; } @@ -203,5 +220,6 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, http_session_release (session); xfree (request_buffer); http_release_parsed_uri (uri); + http_release_parsed_uri (helpuri); return err; } diff --git a/doc/DETAILS b/doc/DETAILS index 6e362523d..6ce340e8c 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -1053,10 +1053,14 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: numerical error code and an underscore; e.g.: "151011327_EOF". *** WARNING [] This is a generic warning status message, it might be followed by - error location specific data. and - should not contain spaces. The error code is a either a string - commencing with a letter or such a string prefixed with a - numerical error code and an underscore; e.g.: "151011327_EOF". + error location specific data. and may not + contain spaces. The may be used to indicate a class of + warnings. The error code is a either a string commencing with a + letter or such a string prefixed with a numerical error code and + an underscore; e.g.: "151011327_EOF". +*** NOTE [] + This is a generic info status message the same syntax as for + WARNING messages is used. *** SUCCESS [] Positive confirmation that an operation succeeded. It is used similar to ISO-C's EXIT_SUCCESS. is optional but if diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c index 58829c764..88fd97eb1 100644 --- a/g10/call-dirmngr.c +++ b/g10/call-dirmngr.c @@ -395,6 +395,7 @@ ks_status_cb (void *opaque, const char *line) gpg_error_t err = 0; const char *s, *s2; const char *warn; + int is_note = 0; if ((s = has_leading_keyword (line, parm->keyword? parm->keyword : "SOURCE"))) { @@ -406,7 +407,8 @@ ks_status_cb (void *opaque, const char *line) err = gpg_error_from_syserror (); } } - else if ((s = has_leading_keyword (line, "WARNING"))) + else if ((s = has_leading_keyword (line, "WARNING")) + || (is_note = !!(s = has_leading_keyword (line, "NOTE")))) { if ((s2 = has_leading_keyword (s, "tor_not_running"))) warn = _("Tor is not running"); @@ -418,12 +420,17 @@ ks_status_cb (void *opaque, const char *line) warn = _("unacceptable HTTP redirect from server"); else if ((s2 = has_leading_keyword (s, "http_redirect_cleanup"))) warn = _("unacceptable HTTP redirect from server was cleaned up"); + else if ((s2 = has_leading_keyword (s, "tls_cert_error"))) + warn = _("server uses an invalid certificate"); else warn = NULL; if (warn) { - log_info (_("WARNING: %s\n"), warn); + if (is_note) + log_info (_("Note: %s\n"), warn); + else + log_info (_("WARNING: %s\n"), warn); if (s2) { while (*s2 && !spacep (s2))