diff options
| author | Werner Koch <wk@gnupg.org> | 2019-11-18 18:23:04 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2019-11-18 18:26:55 +0100 |
| commit | d9c7935188483dae381c12e7eef19072bbade4b3 (patch) | |
| tree | ef9db43e7de0a46eec8216d173cfc53ab76b79ff /dirmngr/ks-engine-http.c | |
| parent | dirmngr: Forward http redirect warnings to gpg. (diff) | |
| download | gnupg2-d9c7935188483dae381c12e7eef19072bbade4b3.tar.xz gnupg2-d9c7935188483dae381c12e7eef19072bbade4b3.zip | |
dirmngr,gpg: Better diagnostic in case of bad TLS certificates.
* doc/DETAILS: Specify new status code "NOTE".
* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
bad TLS certificate.
* g10/call-dirmngr.c (ks_status_cb): Detect this status.
--
For example a
gpg -v --locate-external-keys dd9jn@posteo.net
now yields
gpg: Note: server uses an invalid certificate
gpg: (further info: bad cert for 'posteo.net': \
Hostname does not match the certificate)
gpg: error retrieving 'dd9jn@posteo.net' via WKD: Wrong name
gpg: error reading key: Wrong name
(without -v the "further info" line is not shown). Note that even
after years Posteo is not able to provide a valid certificate for
their .net addresses. Anyway, this help to show the feature.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'dirmngr/ks-engine-http.c')
| -rw-r--r-- | dirmngr/ks-engine-http.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c index 007bbc99d..f55a25774 100644 --- a/dirmngr/ks-engine-http.c +++ b/dirmngr/ks-engine-http.c @@ -78,6 +78,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, estream_t fp = NULL; char *request_buffer = NULL; parsed_uri_t uri = NULL; + parsed_uri_t helpuri = NULL; err = http_parse_uri (&uri, url, 0); if (err) @@ -134,9 +135,25 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, } if (err) { - /* Fixme: After a redirection we show the old host name. */ log_error (_("error connecting to '%s': %s\n"), url, gpg_strerror (err)); + if (gpg_err_code (err) == GPG_ERR_WRONG_NAME + && gpg_err_source (err) == GPG_ERR_SOURCE_TLS) + { + const char *errhostname; + + http_release_parsed_uri (helpuri); + if (http_parse_uri (&helpuri, url, 0)) + errhostname = url; /* On parse error we use the full URL. */ + else + errhostname = helpuri->host? helpuri->host : "?"; + + dirmngr_status_printf (ctrl, "NOTE", + "tls_cert_error %u" + " bad cert for '%s': %s", + err, errhostname, + "Hostname does not match the certificate"); + } goto leave; } @@ -203,5 +220,6 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags, http_session_release (session); xfree (request_buffer); http_release_parsed_uri (uri); + http_release_parsed_uri (helpuri); return err; } |