Accept self-signed certificates by default, references OtterBrowser#550

queria · Jan 30, 2015 · 3c4c1bc · 3c4c1bc
1 parent 401453f
commit 3c4c1bc
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 6 deletions.
diff --git a/resources/schemas/options.ini b/resources/schemas/options.ini
@@ -465,6 +465,10 @@ value=false
 type=string
 value=default
 
+[Security/AcceptSelfSignedCerts]
+type=bool
+value=true
+
 [Sidebar/CurrentPanel]
 type=string
 value=

diff --git a/src/core/NetworkManager.cpp b/src/core/NetworkManager.cpp
@@ -130,6 +130,45 @@ void NetworkManager::handleSslErrors(QNetworkReply *reply, const QList<QSslError
 	}
 }
 
+bool NetworkManager::shouldHandleSelfSignedError(QSslError error, QUrl url)
+{
+	return (!url.isEmpty()
+			&& SettingsManager::getValue(QLatin1String("Security/AcceptSelfSignedCerts")).toBool()
+			&& (error.error() == QSslError::SelfSignedCertificate
+				|| error.error() == QSslError::SelfSignedCertificateInChain));
+}
+
+QString NetworkManager::getKnownSelfSignedHash(QUrl url)
+{
+	QStringList known = SettingsManager::getValue(QLatin1String("Security/KnownSelfSigned"), url).toStringList();
+	QString portIdent = QString("%1:").arg(url.port(443));
+
+	for(int i = 0; i < known.count(); ++i)
+	{
+	  if(known.at(i).startsWith(portIdent)) {
+		  return known.at(i).right(known.at(i).length() - portIdent.length());
+	  }
+	}
+	return "";
+}
+
+void NetworkManager::setKnownSelfSignedHash(QUrl url, QString hash)
+{
+	QStringList known = SettingsManager::getValue(QLatin1String("Security/KnownSelfSigned"), url).toStringList();
+	QString portIdent = QString("%1:").arg(url.port(443));
+
+	for(int i = 0; i < known.count(); ++i)
+	{
+		if(known.at(i).startsWith(portIdent)) {
+			known.removeAt(i);
+			break;
+		}
+	}
+	known << (portIdent + hash);
+
+	SettingsManager::setValue(QLatin1String("Security/KnownSelfSigned"), known, url);
+}
+
 CookieJar* NetworkManager::getCookieJar()
 {
 	return m_cookieJar;

diff --git a/src/core/NetworkManager.h b/src/core/NetworkManager.h
@@ -38,6 +38,9 @@ class NetworkManager : public QNetworkAccessManager
 
 protected:
 	virtual QNetworkReply* createRequest(Operation operation, const QNetworkRequest &request, QIODevice *outgoingData);
+	bool shouldHandleSelfSignedError(QSslError error, QUrl url);
+	QString getKnownSelfSignedHash(QUrl url);
+	void setKnownSelfSignedHash(QUrl url, QString hash);
 
 protected slots:
 	virtual void handleAuthenticationRequired(QNetworkReply *reply, QAuthenticator *authenticator);

diff --git a/src/modules/backends/web/qtwebkit/QtWebKitNetworkManager.cpp b/src/modules/backends/web/qtwebkit/QtWebKitNetworkManager.cpp
@@ -137,6 +137,28 @@ void QtWebKitNetworkManager::handleSslErrors(QNetworkReply *reply, const QList<Q
 			{
 				errorsToIgnore.append(errors.at(i));
 			}
+			else if (shouldHandleSelfSignedError(errors.at(i), m_widget->getUrl()))
+			{ // if this is self-signed case and we can handle it ...
+				QString oldSelfSignedHash = getKnownSelfSignedHash(m_widget->getUrl());
+				QString newSelfSignedHash = errors.at(i).certificate().digest(QCryptographicHash::Sha1).toHex();
+
+				if (oldSelfSignedHash.isEmpty())
+				{ // first time we see this self-signed page/cert
+					setKnownSelfSignedHash(m_widget->getUrl(), newSelfSignedHash);
+					errorsToIgnore.append(errors.at(i));
+				}
+				else if (oldSelfSignedHash == newSelfSignedHash)
+				{ // same cert as last time
+					errorsToIgnore.append(errors.at(i));
+				}
+				else
+				{ // cert has changed
+					messages.append(tr("Self-signed certificate for %1 has changed!\n\nSHA1 fingerprints:\n old: %2\n new: %3!")
+							.arg(m_widget->getUrl().toString(QUrl::RemoveUserInfo | QUrl::RemovePath))
+							.arg(oldSelfSignedHash)
+							.arg(newSelfSignedHash));
+				}
+			}
 			else
 			{
 				messages.append(errors.at(i).errorString());
@@ -181,15 +203,25 @@ void QtWebKitNetworkManager::handleSslErrors(QNetworkReply *reply, const QList<Q
 		{
 			for (int i = 0; i < errors.count(); ++i)
 			{
-				const QString digest = errors.at(i).certificate().digest().toBase64();
-
-				if (!ignoredErrors.contains(digest))
-				{
-					ignoredErrors.append(digest);
+				if(shouldHandleSelfSignedError(errors.at(i), m_widget->getUrl())) {
+					setKnownSelfSignedHash(
+							m_widget->getUrl(),
+							errors.at(i).certificate().digest(QCryptographicHash::Sha1).toHex());
+
+				} else {
+					const QString digest = errors.at(i).certificate().digest().toBase64();
+
+					if (!ignoredErrors.contains(digest))
+					{
+						ignoredErrors.append(digest);
+					}
 				}
 			}
 
-			SettingsManager::setValue(QLatin1String("Security/IgnoreSslErrors"), ignoredErrors, m_widget->getUrl());
+			if (!ignoredErrors.isEmpty())
+			{
+				SettingsManager::setValue(QLatin1String("Security/IgnoreSslErrors"), ignoredErrors, m_widget->getUrl());
+			}
 		}
 	}
 }