security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

dirmngr,gpg: Better diagnostic in case of bad TLS certificates.

Browse source 
* doc/DETAILS: Specify new status code "NOTE".
* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
bad TLS certificate.
* g10/call-dirmngr.c (ks_status_cb): Detect this status.
--

For example a

  gpg -v --locate-external-keys dd9jn@posteo.net

now yields

  gpg: Note: server uses an invalid certificate
  gpg: (further info: bad cert for 'posteo.net': \
                      Hostname does not match the certificate)
  gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name
  gpg: error reading key: Wrong name

(without -v the "further info" line is not shown).  Note that even
after years Posteo is not able to provide a valid certificate for
their .net addresses.  Anyway, this help to show the feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-11-18 18:23:04 +01:00
parent ae9acb8745
commit d9c7935188
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
3 changed files with 36 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
g10/call-dirmngr.c
View file

@ -395,6 +395,7 @@ ks_status_cb (void *opaque, const char *line)
gpg_error_t err = 0;
const char *s, *s2;
const char *warn;
int is_note = 0;
if ((s = has_leading_keyword (line, parm->keyword? parm->keyword : "SOURCE")))
{
@ -406,7 +407,8 @@ ks_status_cb (void *opaque, const char *line)
err = gpg_error_from_syserror ();
}
}
else if ((s = has_leading_keyword (line, "WARNING")))
else if ((s = has_leading_keyword (line, "WARNING"))
|| (is_note = !!(s = has_leading_keyword (line, "NOTE"))))
{
if ((s2 = has_leading_keyword (s, "tor_not_running")))
warn = _("Tor is not running");
@ -418,12 +420,17 @@ ks_status_cb (void *opaque, const char *line)
warn = _("unacceptable HTTP redirect from server");
else if ((s2 = has_leading_keyword (s, "http_redirect_cleanup")))
warn = _("unacceptable HTTP redirect from server was cleaned up");
else if ((s2 = has_leading_keyword (s, "tls_cert_error")))
warn = _("server uses an invalid certificate");
else
warn = NULL;
if (warn)
{
log_info (_("WARNING: %s\n"), warn);
if (is_note)
log_info (_("Note: %s\n"), warn);
else
log_info (_("WARNING: %s\n"), warn);
if (s2)
{
while (*s2 && !spacep (s2))