diff options
| author | Felix (xq) Queißner <git@mq32.de> | 2020-06-19 21:13:32 +0200 |
|---|---|---|
| committer | Felix (xq) Queißner <git@mq32.de> | 2020-06-19 21:13:32 +0200 |
| commit | bfdc7d39485bbef90a65b79f6c3b0986133f530d (patch) | |
| tree | 7a50b6c9dc372cb302f064940c25826d0e1e07a1 /src/webclient.cpp | |
| parent | 63103aa8c7f5b56720da097c73aa99da25841d45 (diff) | |
| download | kristall-bfdc7d39485bbef90a65b79f6c3b0986133f530d.tar.gz | |
Reworks TLS trust to enable symmetry between HTTPS and Gemini
Diffstat (limited to 'src/webclient.cpp')
| -rw-r--r-- | src/webclient.cpp | 62 |
1 files changed, 52 insertions, 10 deletions
diff --git a/src/webclient.cpp b/src/webclient.cpp index 6d23ad3..b5d4d9d 100644 --- a/src/webclient.cpp +++ b/src/webclient.cpp @@ -32,14 +32,15 @@ bool WebClient::startRequest(const QUrl &url, RequestOptions options) this->options = options; this->body.clear(); - QSslConfiguration ssl_config; + QNetworkRequest request(url); + + auto ssl_config = request.sslConfiguration(); // ssl_config.setProtocol(QSsl::TlsV1_2); - // if(global_trust.enable_ca) - // ssl_config.setCaCertificates(QSslConfiguration::systemCaCertificates()); - // else - // ssl_config.setCaCertificates(QList<QSslCertificate> { }); + if(global_https_trust.enable_ca) + ssl_config.setCaCertificates(QSslConfiguration::systemCaCertificates()); + else + ssl_config.setCaCertificates(QList<QSslCertificate> { }); - QNetworkRequest request(url); // request.setMaximumRedirectsAllowed(5); request.setAttribute(QNetworkRequest::FollowRedirectsAttribute, false); request.setSslConfiguration(ssl_config); @@ -141,10 +142,51 @@ void WebClient::on_sslErrors(const QList<QSslError> &errors) return; } - qDebug() << "HTTP SSL Errors:"; - for(auto const & err : errors) - qDebug() << err; - this->current_reply->ignoreSslErrors(); + QList<QSslError> remaining_errors = errors; + QList<QSslError> ignored_errors; + + int i = 0; + while(i < remaining_errors.size()) + { + auto const & err = remaining_errors.at(i); + + bool ignore = false; + if(SslTrust::isTrustRelated(err.error())) + { + if(global_https_trust.isTrusted(current_reply->url(), current_reply->sslConfiguration().peerCertificate())) + { + ignore = true; + } + else + { + emit this->networkError(UntrustedHost, "The requested host is not trusted."); + return; + } + } + else if(err.error() == QSslError::UnableToVerifyFirstCertificate) + { + ignore = true; + } + + if(ignore) { + ignored_errors.append(err); + remaining_errors.removeAt(0); + } else { + i += 1; + } + } + + current_reply->ignoreSslErrors(ignored_errors); + + qDebug() << "ignoring" << ignored_errors.size() << "out of" << errors.size(); + + for(auto const & error : remaining_errors) { + qWarning() << int(error.error()) << error.errorString(); + } + + if(remaining_errors.size() > 0) { + emit this->networkError(TlsFailure, remaining_errors.first().errorString()); + } } void WebClient::on_redirected(const QUrl &url) |