[evolution-data-server/evolution-data-server-3-12] Always reject revoked certificates
- From: Milan Crha <mcrha src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [evolution-data-server/evolution-data-server-3-12] Always reject revoked certificates
- Date: Thu, 10 Apr 2014 14:00:51 +0000 (UTC)
commit 27c29b3af8741c7ee9f72e402b4f2cc8ed3fcafc
Author: Milan Crha <mcrha redhat com>
Date: Thu Apr 10 15:56:27 2014 +0200
Always reject revoked certificates
If there is recognized a revoked certificate being used for a secure
connection, then reject the connection immediately, for security reasons.
This behaviour cannot be overwritten with a user's trust.
camel/camel-network-service.c | 45 +++++++++++++++++++++----------------
libedataserver/e-source-webdav.c | 4 +++
2 files changed, 29 insertions(+), 20 deletions(-)
---
diff --git a/camel/camel-network-service.c b/camel/camel-network-service.c
index 0afcb34..23ea4fa 100644
--- a/camel/camel-network-service.c
+++ b/camel/camel-network-service.c
@@ -345,28 +345,33 @@ network_service_accept_certificate_cb (GTlsConnection *connection,
g_free (host);
- if (cert->trust == CAMEL_CERT_TRUST_UNKNOWN) {
- cert->trust = camel_session_trust_prompt (
- session, CAMEL_SERVICE (service),
- peer_certificate, errors);
+ if ((errors & G_TLS_CERTIFICATE_REVOKED) != 0) {
+ /* Always reject revoked certificates */
+ accept = FALSE;
+ } else {
+ if (cert->trust == CAMEL_CERT_TRUST_UNKNOWN) {
+ cert->trust = camel_session_trust_prompt (
+ session, CAMEL_SERVICE (service),
+ peer_certificate, errors);
- if (new_cert)
- network_service_certdb_store (
- certdb, cert, peer_certificate);
+ if (new_cert)
+ network_service_certdb_store (
+ certdb, cert, peer_certificate);
- camel_certdb_touch (certdb);
- }
+ camel_certdb_touch (certdb);
+ }
- switch (cert->trust) {
- case CAMEL_CERT_TRUST_MARGINAL:
- case CAMEL_CERT_TRUST_FULLY:
- case CAMEL_CERT_TRUST_ULTIMATE:
- case CAMEL_CERT_TRUST_TEMPORARY:
- accept = TRUE;
- break;
- default:
- accept = FALSE;
- break;
+ switch (cert->trust) {
+ case CAMEL_CERT_TRUST_MARGINAL:
+ case CAMEL_CERT_TRUST_FULLY:
+ case CAMEL_CERT_TRUST_ULTIMATE:
+ case CAMEL_CERT_TRUST_TEMPORARY:
+ accept = TRUE;
+ break;
+ default:
+ accept = FALSE;
+ break;
+ }
}
camel_cert_unref (cert);
diff --git a/libedataserver/e-source-webdav.c b/libedataserver/e-source-webdav.c
index 6cff83c..eda83d5 100644
--- a/libedataserver/e-source-webdav.c
+++ b/libedataserver/e-source-webdav.c
@@ -1483,6 +1483,10 @@ e_source_webdav_prepare_ssl_trust_prompt_with_parent (ESourceWebdav *extension,
if (!soup_message_get_https_status (message, &cert, &cert_errors) || !cert)
return E_TRUST_PROMPT_RESPONSE_REJECT;
+ /* Always reject revoked certificates */
+ if ((cert_errors & G_TLS_CERTIFICATE_REVOKED) != 0)
+ return E_TRUST_PROMPT_RESPONSE_REJECT;
+
soup_uri = soup_message_get_uri (message);
if (soup_uri == NULL)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
