From d9c7935188483dae381c12e7eef19072bbade4b3 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 18 Nov 2019 18:23:04 +0100 Subject: dirmngr,gpg: Better diagnostic in case of bad TLS certificates. * doc/DETAILS: Specify new status code "NOTE". * dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a bad TLS certificate. * g10/call-dirmngr.c (ks_status_cb): Detect this status. -- For example a gpg -v --locate-external-keys dd9jn@posteo.net now yields gpg: Note: server uses an invalid certificate gpg: (further info: bad cert for 'posteo.net': \ Hostname does not match the certificate) gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name gpg: error reading key: Wrong name (without -v the "further info" line is not shown). Note that even after years Posteo is not able to provide a valid certificate for their .net addresses. Anyway, this help to show the feature. Signed-off-by: Werner Koch --- dirmngr/ks-engine-http.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'dirmngr/ks-engine-http.c') diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index 007bbc99d..f55a25774 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -78,6 +78,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, estream_t fp = NULL; char *request_buffer = NULL; parsed_uri_t uri = NULL; + parsed_uri_t helpuri = NULL; err = http_parse_uri (&uri, url, 0); if (err) @@ -134,9 +135,25 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, } if (err) { - /* Fixme: After a redirection we show the old host name. */ log_error (_("error connecting to '%s': %s\n"), url, gpg_strerror (err)); + if (gpg_err_code (err) == GPG_ERR_WRONG_NAME + && gpg_err_source (err) == GPG_ERR_SOURCE_TLS) + { + const char *errhostname; + + http_release_parsed_uri (helpuri); + if (http_parse_uri (&helpuri, url, 0)) + errhostname = url; /* On parse error we use the full URL. */ + else + errhostname = helpuri->host? helpuri->host : "?"; + + dirmngr_status_printf (ctrl, "NOTE", + "tls_cert_error %u" + " bad cert for '%s': %s", + err, errhostname, + "Hostname does not match the certificate"); + } goto leave; } @@ -203,5 +220,6 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, http_session_release (session); xfree (request_buffer); http_release_parsed_uri (uri); + http_release_parsed_uri (helpuri); return err; } -- cgit v1.2.3