Allow other SSL errors as long as the cert is correct

2025-03-02 13:47:12 +00:00 · 2019-03-16 18:50:07 -07:00 · 2019-03-16 18:50:07 -07:00 · 37636ef1eb
commit 37636ef1eb
parent c540bec824
2 changed files with 32 additions and 20 deletions
--- a/app/backend/nvhttp.cpp
+++ b/app/backend/nvhttp.cpp
@ -33,6 +33,8 @@ NvHTTP::NvHTTP(QString address, QSslCertificate serverCert) :
    // Never use a proxy server
    QNetworkProxy noProxy(QNetworkProxy::NoProxy);
    m_Nam.setProxy(noProxy);
+
+    connect(&m_Nam, &QNetworkAccessManager::sslErrors, this, &NvHTTP::handleSslErrors);
 }

 void NvHTTP::setServerCert(QSslCertificate serverCert)
@ -377,6 +379,28 @@ NvHTTP::getXmlString(QString xml,
    return nullptr;
 }

+void NvHTTP::handleSslErrors(QNetworkReply* reply, const QList<QSslError>& errors)
+{
+    bool ignoreErrors = true;
+
+    if (m_ServerCert.isNull()) {
+        // We should never make an HTTPS request without a cert
+        Q_ASSERT(!m_ServerCert.isNull());
+        return;
+    }
+
+    for (auto error : errors) {
+        if (m_ServerCert != error.certificate()) {
+            ignoreErrors = false;
+            break;
+        }
+    }
+
+    if (ignoreErrors) {
+        reply->ignoreSslErrors(errors);
+    }
+}
+
 QString
 NvHTTP::openConnectionToString(QUrl baseUrl,
                               QString command,
@ -413,33 +437,16 @@ NvHTTP::openConnection(QUrl baseUrl,
                 QUuid::createUuid().toRfc4122().toHex() +
                 ((arguments != nullptr) ? ("&" + arguments) : ""));

-    QNetworkRequest request = QNetworkRequest(url);
+    QNetworkRequest request(url);

    // Add our client certificate
    request.setSslConfiguration(IdentityManager::get()->getSslConfig());

    QNetworkReply* reply = m_Nam.get(request);

-    // Assert that we always have a server cert for HTTPS, since
-    // the request will fail anyway if we do not.
-    Q_ASSERT(!m_ServerCert.isNull() || baseUrl == m_BaseUrlHttp);
-
-    if (!m_ServerCert.isNull()) {
-        // Pin the server certificate received during pairing
-        QList<QSslError> expectedSslErrors;
-        expectedSslErrors.append(QSslError(QSslError::HostNameMismatch, m_ServerCert));
-        expectedSslErrors.append(QSslError(QSslError::SelfSignedCertificate, m_ServerCert));
-
-        // The SecureTransport backend for Qt TLS on macOS throws CertificateUntrusted
-        // instead of SelfSignedCertificate, so we will need to allow that error too.
-        expectedSslErrors.append(QSslError(QSslError::CertificateUntrusted, m_ServerCert));
-
-        reply->ignoreSslErrors(expectedSslErrors);
-    }
-
    // Run the request with a timeout if requested
    QEventLoop loop;
-    QObject::connect(reply, SIGNAL(finished()), &loop, SLOT(quit()));
+    connect(reply, SIGNAL(finished()), &loop, SLOT(quit()));
    if (timeoutMs) {
        QTimer::singleShot(timeoutMs, &loop, SLOT(quit()));
    }
--- a/app/backend/nvhttp.h
+++ b/app/backend/nvhttp.h
@ -113,8 +113,10 @@ private:
    QString m_ErrorText;
 };

-class NvHTTP
+class NvHTTP : public QObject
 {
+    Q_OBJECT
+
 public:
    enum NvLogLevel {
        NVLL_NONE,
@ -184,6 +186,9 @@ public:
    QUrl m_BaseUrlHttp;
    QUrl m_BaseUrlHttps;
 private:
+    void
+    handleSslErrors(QNetworkReply* reply, const QList<QSslError>& errors);
+
    QNetworkReply*
    openConnection(QUrl baseUrl,
                   QString command,