Forbid trusting the untrusted certificate.

Signed-off-by: alex-z <blackslayer4@gmail.com>
2025-10-26 11:17:43 +00:00 · 2021-10-26 14:27:22 +03:00 · 2021-10-26 14:27:22 +03:00 · db4e54025a
commit db4e54025a
parent 907ebc1959
5 changed files with 22 additions and 2 deletions
--- a/NEXTCLOUD.cmake
+++ b/NEXTCLOUD.cmake
@ -12,6 +12,7 @@ set( APPLICATION_SERVER_URL_ENFORCE ON ) # If set and APPLICATION_SERVER_URL is
 set( APPLICATION_REV_DOMAIN "com.nextcloud.desktopclient" )
 set( APPLICATION_VIRTUALFILE_SUFFIX "nextcloud" CACHE STRING "Virtual file suffix (not including the .)")
 set( APPLICATION_OCSP_STAPLING_ENABLED OFF )
+set( APPLICATION_FORBID_BAD_SSL OFF )

 set( LINUX_PACKAGE_SHORTNAME "nextcloud" )
 set( LINUX_APPLICATION_ID "${APPLICATION_REV_DOMAIN}.${LINUX_PACKAGE_SHORTNAME}")
--- a/config.h.in
+++ b/config.h.in
@ -30,6 +30,7 @@
 #cmakedefine APPLICATION_WIZARD_USE_CUSTOM_LOGO "@APPLICATION_WIZARD_USE_CUSTOM_LOGO@"
 #cmakedefine APPLICATION_VIRTUALFILE_SUFFIX "@APPLICATION_VIRTUALFILE_SUFFIX@"
 #cmakedefine APPLICATION_OCSP_STAPLING_ENABLED "@APPLICATION_OCSP_STAPLING_ENABLED@"
+#cmakedefine APPLICATION_FORBID_BAD_SSL "@APPLICATION_FORBID_BAD_SSL@"
 #define APPLICATION_DOTVIRTUALFILE_SUFFIX "." APPLICATION_VIRTUALFILE_SUFFIX

 #cmakedefine ZLIB_FOUND @ZLIB_FOUND@
--- a/src/gui/sslerrordialog.cpp
+++ b/src/gui/sslerrordialog.cpp
@ -13,6 +13,7 @@
 */
 #include "configfile.h"
 #include "sslerrordialog.h"
+#include "theme.h"

 #include <QtGui>
 #include <QtNetwork>
@ -68,6 +69,8 @@ SslErrorDialog::SslErrorDialog(AccountPtr account, QWidget *parent)
    QPushButton *cancelButton =
        _ui->_dialogButtonBox->button(QDialogButtonBox::Cancel);
    okButton->setEnabled(false);
+
+    _ui->_cbTrustConnect->setEnabled(!Theme::instance()->forbidBadSSL());
    connect(_ui->_cbTrustConnect, &QAbstractButton::clicked,
        okButton, &QWidget::setEnabled);

@ -136,7 +139,6 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
    msg += QL("<h3>") + tr("Cannot connect securely to <i>%1</i>:").arg(host) + QL("</h3>");
    // loop over the unknown certs and line up their errors.
    msg += QL("<div id=\"ca_errors\">");
-
    foreach (const QSslCertificate &cert, _unknownCerts) {
        msg += QL("<div id=\"ca_error\">");
        // add the errors for this cert
@ -153,7 +155,7 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
    }

    if (!additionalErrorStrings.isEmpty()) {
-        msg += QL("<h3>") + tr("Additional errors:") + QL("</h3>");
+        msg += QL("<h4>") + tr("Additional errors:") + QL("</h4>");

        for (const auto &errorString : additionalErrorStrings) {
            msg += QL("<div id=\"ca_error\">");
--- a/src/libsync/theme.cpp
+++ b/src/libsync/theme.cpp
@ -408,6 +408,15 @@ bool Theme::enableStaplingOCSP() const
 #endif
 }

+bool Theme::forbidBadSSL() const
+{
+#ifdef APPLICATION_FORBID_BAD_SSL
+    return true;
+#else
+    return false;
+#endif
+}
+
 QString Theme::forceConfigAuthType() const
 {
    return QString();
--- a/src/libsync/theme.h
+++ b/src/libsync/theme.h
@ -247,6 +247,13 @@ public:
     */
    virtual bool enableStaplingOCSP() const;

+    /**
+     * Enforce SSL validity
+     *
+     * When true, trusting the untrusted certificate is not allowed
+     */
+    virtual bool forbidBadSSL() const;
+
    /**
     * This is only usefull when previous version had a different overrideServerUrl
     * with a different auth type in that case You should then specify "http" or "shibboleth".