Do not ignore SSL errors, except for self-signed cert errors.
Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
This commit is contained in:
parent
be2d3947f1
commit
7b904f47b3
1 changed files with 13 additions and 11 deletions
|
@ -315,9 +315,7 @@ void LanLinkProvider::tcpSocketConnected()
|
||||||
|
|
||||||
connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted);
|
connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted);
|
||||||
|
|
||||||
if (isDeviceTrusted) {
|
connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
|
||||||
connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
|
|
||||||
}
|
|
||||||
|
|
||||||
socket->startServerEncryption();
|
socket->startServerEncryption();
|
||||||
|
|
||||||
|
@ -344,8 +342,6 @@ void LanLinkProvider::encrypted()
|
||||||
|
|
||||||
QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
|
QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
|
||||||
if (!socket) return;
|
if (!socket) return;
|
||||||
// TODO delete me?
|
|
||||||
disconnect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
|
|
||||||
|
|
||||||
Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode);
|
Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode);
|
||||||
LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely;
|
LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely;
|
||||||
|
@ -364,14 +360,20 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors)
|
||||||
QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
|
QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
|
||||||
if (!socket) return;
|
if (!socket) return;
|
||||||
|
|
||||||
qCDebug(KDECONNECT_CORE) << "Failing due to " << errors;
|
bool fatal = false;
|
||||||
Device* device = Daemon::instance()->getDevice(socket->peerVerifyName());
|
for (const QSslError& error : errors) {
|
||||||
if (device) {
|
if (error.error() != QSslError::SelfSignedCertificate) {
|
||||||
device->unpair();
|
qCCritical(KDECONNECT_CORE) << "Disconnecting due to fatal SSL Error: " << error;
|
||||||
|
fatal = true;
|
||||||
|
} else {
|
||||||
|
qCDebug(KDECONNECT_CORE) << "Ignoring self-signed cert error";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
delete m_receivedIdentityPackets.take(socket).np;
|
if (fatal) {
|
||||||
// Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually
|
socket->disconnectFromHost();
|
||||||
|
delete m_receivedIdentityPackets.take(socket).np;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity.
|
//I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity.
|
||||||
|
|
Loading…
Reference in a new issue