Fossil

Check-in [fc93bfb0]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:When displaying an unknown certificate, also display the certificate fingerprint so the user can verify they're seeing the certificate they expect. Just displaying the textual names in the certificate does not give enough information to be certain someone isn't doing a man in the middle attack.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | ben-security
Files: files | file ages | folders
SHA1:fc93bfb0f720e5d1a2963a60b4c263f7f7b01e39
User & Date: ben 2011-05-22 14:53:02
Context
2011-05-22
15:08
Follow web app best practise by marking cookies as HttpOnly and, if it's over an https connection, as 'secure' so they will only be transmitted over https. Options supported by major browsers, and harmless where not supported. check-in: e4b57a32 user: ben tags: ben-security
14:53
When displaying an unknown certificate, also display the certificate fingerprint so the user can verify they're seeing the certificate they expect. Just displaying the textual names in the certificate does not give enough information to be certain someone isn't doing a man in the middle attack. check-in: fc93bfb0 user: ben tags: ben-security
14:23
Create new branch named "ben-security" check-in: 2b4a6a66 user: ben tags: ben-security
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/http_ssl.c.

180
181
182
183
184
185
186


187
188
189
190
191







192
193
194
195
196
197
198
  }

  if( SSL_get_verify_result(ssl) != X509_V_OK ){
    char *desc, *prompt;
    char *warning = "";
    Blob ans;
    BIO *mem;


    
    mem = BIO_new(BIO_s_mem());
    X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
    BIO_puts(mem, "\n\nIssued By:\n\n");
    X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);







    BIO_write(mem, "", 1); // null-terminate mem buffer
    BIO_get_mem_data(mem, &desc);
    
    if( hasSavedCertificate ){
      warning = "WARNING: Certificate doesn't match the "
                "saved certificate for this host!";
    }







>
>





>
>
>
>
>
>
>







180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
  }

  if( SSL_get_verify_result(ssl) != X509_V_OK ){
    char *desc, *prompt;
    char *warning = "";
    Blob ans;
    BIO *mem;
    unsigned char md[32];
    unsigned int mdLength = 31;
    
    mem = BIO_new(BIO_s_mem());
    X509_NAME_print_ex(mem, X509_get_subject_name(cert), 2, XN_FLAG_MULTILINE);
    BIO_puts(mem, "\n\nIssued By:\n\n");
    X509_NAME_print_ex(mem, X509_get_issuer_name(cert), 2, XN_FLAG_MULTILINE);
    BIO_puts(mem, "\n\nSHA1 Fingerprint:\n\n ");
    if(X509_digest(cert, EVP_sha1(), md, &mdLength)){
      int j;
      for( j = 0; j < mdLength; ++j ) {
        BIO_printf(mem, " %02x", md[j]);
      }
    }
    BIO_write(mem, "", 1); // null-terminate mem buffer
    BIO_get_mem_data(mem, &desc);
    
    if( hasSavedCertificate ){
      warning = "WARNING: Certificate doesn't match the "
                "saved certificate for this host!";
    }