Commit 7b904f47 authored by Albert Vaca Cintora's avatar Albert Vaca Cintora
Browse files

Do not ignore SSL errors, except for self-signed cert errors.

Thanks Matthias Gerstner <mgerstner@suse.de> for reporting this.
parent be2d3947
...@@ -315,9 +315,7 @@ void LanLinkProvider::tcpSocketConnected() ...@@ -315,9 +315,7 @@ void LanLinkProvider::tcpSocketConnected()
connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted); connect(socket, &QSslSocket::encrypted, this, &LanLinkProvider::encrypted);
if (isDeviceTrusted) { connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
connect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
}
socket->startServerEncryption(); socket->startServerEncryption();
...@@ -344,8 +342,6 @@ void LanLinkProvider::encrypted() ...@@ -344,8 +342,6 @@ void LanLinkProvider::encrypted()
QSslSocket* socket = qobject_cast<QSslSocket*>(sender()); QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
if (!socket) return; if (!socket) return;
// TODO delete me?
disconnect(socket, QOverload<const QList<QSslError> &>::of(&QSslSocket::sslErrors), this, &LanLinkProvider::sslErrors);
Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode); Q_ASSERT(socket->mode() != QSslSocket::UnencryptedMode);
LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely; LanDeviceLink::ConnectionStarted connectionOrigin = (socket->mode() == QSslSocket::SslClientMode)? LanDeviceLink::Locally : LanDeviceLink::Remotely;
...@@ -364,14 +360,20 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors) ...@@ -364,14 +360,20 @@ void LanLinkProvider::sslErrors(const QList<QSslError>& errors)
QSslSocket* socket = qobject_cast<QSslSocket*>(sender()); QSslSocket* socket = qobject_cast<QSslSocket*>(sender());
if (!socket) return; if (!socket) return;
qCDebug(KDECONNECT_CORE) << "Failing due to " << errors; bool fatal = false;
Device* device = Daemon::instance()->getDevice(socket->peerVerifyName()); for (const QSslError& error : errors) {
if (device) { if (error.error() != QSslError::SelfSignedCertificate) {
device->unpair(); qCCritical(KDECONNECT_CORE) << "Disconnecting due to fatal SSL Error: " << error;
fatal = true;
} else {
qCDebug(KDECONNECT_CORE) << "Ignoring self-signed cert error";
}
} }
delete m_receivedIdentityPackets.take(socket).np; if (fatal) {
// Socket disconnects itself on ssl error and will be deleted by deleteLater slot, no need to delete manually socket->disconnectFromHost();
delete m_receivedIdentityPackets.take(socket).np;
}
} }
//I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity. //I'm the new device and this is the answer to my UDP identity packet (no data received yet). They are connecting to us through TCP, and they should send an identity.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment