Quoth Markus Teich:
> > I recently wrote a patch that printed useful debug info about SSL failures,
> > but it got lost when mailman went down and I haven't re-sent it yet. I'll
> > try
> > to remember to send it to the list tonight.
>
> That could be very helpful. I'm looking forward to it.
It's attached. It was against the trunk a week or so ago, but
probably still applies ;)
Incidentally, does anyone have any thoughts about the best ways to
display this sort of extra status information? stderr is fine in a
pinch, but in general I don't run my surf sessions from a terminal
so most of the time it'd be non-trivial to fetch the output.
Oh, and note I'm not sure whether it'll print the ssl failure output
if you have sslstrict on - I haven't tested but it may well abort
the connection before surf gets a hold of it.
Nick
>From cfe99acb2382bf9b141042e406bce654e4b9a8be Mon Sep 17 00:00:00 2001
From: Nick White <g...@njw.me.uk>
Date: Mon, 3 Feb 2014 17:02:43 +0000
Subject: [PATCH] Print certificate errors on stderr
---
surf.c | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/surf.c b/surf.c
index e967672..14de226 100644
--- a/surf.c
+++ b/surf.c
@@ -69,6 +69,21 @@ typedef struct {
SoupCookieJarTextClass parent_class;
} CookieJarClass;
+typedef struct {
+ int flag;
+ char *errstr;
+} TlsError;
+
+static TlsError tlserrors[] = {
+ { G_TLS_CERTIFICATE_UNKNOWN_CA, "The signing certificate authority is not known." },
+ { G_TLS_CERTIFICATE_BAD_IDENTITY, "The certificate does not match the expected identity of the site that it was retrieved from." },
+ { G_TLS_CERTIFICATE_NOT_ACTIVATED, "The certificate's activation time is still in the future." },
+ { G_TLS_CERTIFICATE_EXPIRED, "The certificate has expired." },
+ { G_TLS_CERTIFICATE_REVOKED, "The certificate has been revoked." },
+ { G_TLS_CERTIFICATE_INSECURE, "The certificate's algorithm is considered insecure." },
+ { G_TLS_CERTIFICATE_GENERIC_ERROR, "A general error occurred validating the certificate." },
+};
+
G_DEFINE_TYPE(CookieJar, cookiejar, SOUP_TYPE_COOKIE_JAR_TEXT)
static Display *dpy;
@@ -630,7 +645,13 @@ loadstatuschange(WebKitWebView *view, GParamSpec *pspec, Client *c) {
WebKitWebDataSource *src;
WebKitNetworkRequest *request;
SoupMessage *msg;
+ SoupSession *session;
+ GTlsCertificate *cert;
+ GTlsCertificateFlags flags;
char *uri;
+ char *cut_uri;
+ char *s;
+ int i;
switch(webkit_web_view_get_load_status (c->view)) {
case WEBKIT_LOAD_COMMITTED:
@@ -642,6 +663,28 @@ loadstatuschange(WebKitWebView *view, GParamSpec *pspec, Client *c) {
msg = webkit_network_request_get_message(request);
c->sslfailed = !(soup_message_get_flags(msg)
& SOUP_MESSAGE_CERTIFICATE_TRUSTED);
+ if(c->sslfailed) {
+ /* For some reason the https status can't be got from webkit's soup msg,
+ * so we make a dummy connection to the server's homepage here. */
+ cut_uri = g_strdup(uri);
+ s = cut_uri;
+ for (i = 0; i < 3; ++i) {
+ s = strchr(&(s[1]), '/');
+ }
+ s[1] = '\0';
+ msg = soup_message_new("HEAD", uri);
+ soup_message_set_flags(msg, SOUP_MESSAGE_NO_REDIRECT);
+ session = webkit_get_default_session();
+ soup_session_send_message(session, msg);
+
+ soup_message_get_https_status(msg, &cert, &flags);
+
+ for(i = 0; i < LENGTH(tlserrors); i++) {
+ if(flags & tlserrors[i].flag) {
+ fprintf(stderr, "%s - %s\n", uri, tlserrors[i].errstr);
+ }
+ }
+ }
}
setatom(c, AtomUri, uri);
break;
--
1.7.10.4
