From 986714c9e1b58ca4dffe66653f054c2f16d1fc2b Mon Sep 17 00:00:00 2001 From: Michael Zanetti Date: Sat, 23 Jan 2021 14:04:33 +0100 Subject: [PATCH] Fix encryption flag erraneously set for "ws" connections This could cause the client to think that there is a certificate mismatch if there is a pinned certificate for this host already and we then connect to an unecrypted ws socket. Also, disconnect clients before raising the certificate mismatch error in case a client implementation would just ignore this and reconnect syncronously right way. --- libnymea-app/connection/nymeaconnection.cpp | 2 +- libnymea-app/connection/websockettransport.cpp | 2 +- libnymea-app/jsonrpc/jsonrpcclient.cpp | 9 +++++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/libnymea-app/connection/nymeaconnection.cpp b/libnymea-app/connection/nymeaconnection.cpp index 635f7b0e..4593c812 100644 --- a/libnymea-app/connection/nymeaconnection.cpp +++ b/libnymea-app/connection/nymeaconnection.cpp @@ -250,7 +250,7 @@ void NymeaConnection::onConnected() NymeaTransportInterface* newTransport = qobject_cast(sender()); if (!m_currentTransport) { m_currentTransport = newTransport; - qDebug() << "NymeaConnection: Connected to" << m_currentHost->name() << "via" << m_currentTransport->url(); + qDebug() << "NymeaConnection: Connected to" << m_currentHost->name() << "via" << m_currentTransport->url() << m_currentTransport->isEncrypted(); emit currentConnectionChanged(); emit connectedChanged(true); return; diff --git a/libnymea-app/connection/websockettransport.cpp b/libnymea-app/connection/websockettransport.cpp index 033a4929..6a4829af 100644 --- a/libnymea-app/connection/websockettransport.cpp +++ b/libnymea-app/connection/websockettransport.cpp @@ -101,7 +101,7 @@ void WebsocketTransport::ignoreSslErrors(const QList &errors) bool WebsocketTransport::isEncrypted() const { - return !m_socket->sslConfiguration().isNull(); + return m_url.scheme() == "wss"; } QSslCertificate WebsocketTransport::serverCertificate() const diff --git a/libnymea-app/jsonrpc/jsonrpcclient.cpp b/libnymea-app/jsonrpc/jsonrpcclient.cpp index 796c43e3..ee39c506 100644 --- a/libnymea-app/jsonrpc/jsonrpcclient.cpp +++ b/libnymea-app/jsonrpc/jsonrpcclient.cpp @@ -665,14 +665,15 @@ void JsonRpcClient::helloReply(int /*commandId*/, const QVariantMap ¶ms) if (m_connection->sslCertificate().toPem() != pem) { // Uh oh, the certificate has changed qWarning() << "This connections certificate has changed!"; - - QSslCertificate certificate = m_connection->sslCertificate(); - QVariantMap issuerInfo = certificateIssuerInfo(); - emit verifyConnectionCertificate(m_serverUuid, issuerInfo, certificate.toPem()); + qWarning() << "Old PEM:" << pem; + qWarning() << "New PEM:" << m_connection->sslCertificate().toPem(); // Reject the connection until the UI explicitly accepts this... m_connection->disconnectFromHost(); + QSslCertificate certificate = m_connection->sslCertificate(); + QVariantMap issuerInfo = certificateIssuerInfo(); + emit verifyConnectionCertificate(m_serverUuid, issuerInfo, certificate.toPem()); return; } qDebug() << "This connections certificate is trusted.";