[Tkabber-dev] r1393 - branches/tls

tkabber-svn at jabber.ru tkabber-svn at jabber.ru
Fri Mar 14 04:56:49 MSK 2008


Author: kostix
Date: 2008-03-14 04:56:48 +0300 (Fri, 14 Mar 2008)
New Revision: 1393

Added:
   branches/tls/TODO
Modified:
   branches/tls/iface.tcl
   branches/tls/login.tcl
Log:
login.tcl:
 * Rehashed SSL/TLS options, removed "tls_warnings" and its group.
 * Added parsing of Subject/Issuer into parts.
 * Added VIM modeline.

iface.tcl: VIM modeline added.

TODO: Added transient tasks file.


Added: branches/tls/TODO
===================================================================
--- branches/tls/TODO	                        (rev 0)
+++ branches/tls/TODO	2008-03-14 01:56:48 UTC (rev 1393)
@@ -0,0 +1,36 @@
+$Id$
+
+* Implement storage of login conf data in some global state
+  bound to connid; some bits of it should be reachable from
+  [client:tls_callback].
+
+* Implement hook certificate_verification_hook,
+  which should be called on verification check.
+  Most of current [client:tls_callback] should be moved
+  there.
+
+* Create a TLS warning dialog which should be shown to
+  the user on TLS verification callbacks with non-empty
+  "reason" field.
+  This dialog should:
+  * Show cert params in r/o editboxes so their contents
+    could be copied by the user.
+	(Alternatively, provide Ctrl-c shortcut and one message).
+  * Special action selector:
+    * Fail immediately (default);
+    * Ignore this problem;
+    * Trust this cert once;
+	* Trust this cert permanently;
+  * Just two buttons: OK and Cancel; the latter must
+    behave as "Fail immediately".
+  The idea of actions:
+  * Fail immediately -- tear down the connection.
+  * Ignore problem -- proceed.
+  * Trust once -- proceed, ignore any possible verification probs.
+  * Trust prem. -- as above, but stash its hash to some Customize
+    variable for future checks.
+
+* Some UI should be created to manage trusted certs.
+  This means that at least Subject and Issuer shold be kept
+  along with the hash.
+


Property changes on: branches/tls/TODO
___________________________________________________________________
Name: svn:keywords
   + Id
Name: svn:eol-style
   + native

Modified: branches/tls/iface.tcl
===================================================================
--- branches/tls/iface.tcl	2008-03-13 23:41:43 UTC (rev 1392)
+++ branches/tls/iface.tcl	2008-03-14 01:56:48 UTC (rev 1393)
@@ -114,3 +114,4 @@
     hook::run clear_status_hook
 }
 
+# vim:ts=8:sw=4:sts=4:noet

Modified: branches/tls/login.tcl
===================================================================
--- branches/tls/login.tcl	2008-03-13 23:41:43 UTC (rev 1392)
+++ branches/tls/login.tcl	2008-03-14 01:56:48 UTC (rev 1393)
@@ -1,6 +1,5 @@
 # $Id$
 
-
 if {[lcontain [jlib::capabilities transport] tls]} {
     set use_tls 1
 } else {
@@ -31,14 +30,6 @@
     set have_http_poll 0
 }
 
-custom::defgroup Warnings [::msgcat::mc "Warning display options."] \
-    -group Tkabber
-
-if {$use_tls} {
-    custom::defvar tls_warnings 1 [::msgcat::mc "Display SSL warnings."] \
-	-group Warnings -type boolean
-}
-
 custom::defgroup Login \
     [::msgcat::mc "Login options."] \
     -group Tkabber
@@ -96,15 +87,57 @@
 }
 
 if {$use_tls} {
+    custom::defgroup SSL/TLS [::msgcat::mc "SSL/TLS options."] \
+	-group Login
+
+    switch -- $tcl_platform(platform) {
+	unix {
+	    set defcacertstore /etc/ssl/certs
+	}
+	windows {
+	    set defcacertstore C:/OpenSSL/certs
+	}
+	default {
+	    set defcacertstore ""
+	}
+    }
+
+    custom::defvar loginconf(sslcacertstore) $defcacertstore \
+	[::msgcat::mc "SSL certification authority file or directory (optional).\
+	    Specifies a storage containing certificates\
+	    of trusted Certification Authorities (CAs) which will be\
+	    used to verify server certificates."] \
+	-group SSL/TLS -type file
     custom::defvar loginconf(sslcertfile) "" \
-	[::msgcat::mc "SSL certificate file (optional)."] \
-	-group Login -type file
-    custom::defvar loginconf(sslcacertstore) "" \
-	[::msgcat::mc "SSL certification authority file or directory (optional)."] \
-	-group Login -type file
+	[::msgcat::mc "Client's SSL certificate file (optional)."] \
+	-group SSL/TLS -type file
     custom::defvar loginconf(sslkeyfile) "" \
-	[::msgcat::mc "SSL private key file (optional)."] \
-	-group Login -type file
+	[::msgcat::mc "Client's SSL private key file (optional)."] \
+	-group SSL/TLS -type file
+
+    custom::defvar loginconf(ssl_accept_untrusted_certs) 0 \
+	[::msgcat::mc "Silently acccept server certificates\
+	    which cannot be verified."] \
+	-group SSL/TLS -type boolean
+
+    custom::defvar loginconf(ssl_accept_mismatched_domains) 0 \
+	[::msgcat::mc "Silently acccept server certificates\
+	    which Canonical Name (CN) doesn't match the\
+	    login domain. Note: this setting doesn't affect certificates\
+	    having CN field which doesn't look like a (possibly wildcarded)\
+	    domain name."] \
+	-group SSL/TLS -type boolean
+
+    if 0 {
+    custom::defvar loginconf(ssl_accept_wildcard_domains) 1 \
+	[::msgcat::mc "Silently acccept server certificates\
+	    which Canonical Name (CN) contains a wildcarded domain\
+	    name and the login domain matches thanks to the\
+	    wildcard part."] \
+	-group SSL/TLS -type boolean
+    }
+
+    unset defcacertstore
 }
 
 if {$have_proxy} {
@@ -288,11 +321,18 @@
 	    }
 	    set info [::msgcat::mc [string totitle $reason 0 0]]
 	    append tls_warning_info($connid) "$info\n"
+	    # TODO fetch this from some global state:
+	    set tls_warnings 1 ;# temporary hack
 	    if {!$tls_warnings} {
 		return 1
 	    }
 	    append info [::msgcat::mc ". Proceed?\n\n"]
 	    foreach {k v} [lindex $args 3] {
+		switch -- $k {
+		    subject - issuer {
+			set v [regsub -all {\s*[/,]\s*(\w+=)} $v \n\t\\1]
+		    }
+		}
 		if {![cequal $v ""] && [info exists ssl_certificate_fields($k)]} {
 		    append info [format "%s: %s\n" $ssl_certificate_fields($k) $v]
 		}
@@ -331,6 +371,7 @@
 proc login_connect {logindata} {
     global use_tls have_compress have_sasl have_http_poll have_proxy
     global tls_warning_info
+    global loginparams
 
     array set lc $logindata
 
@@ -730,3 +771,4 @@
     logout
 }
 
+# vim:ts=8:sw=4:sts=4:noet



More information about the Tkabber-dev mailing list