diff options
| author | Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> | 2014-02-22 18:43:17 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-02-23 08:29:06 +0100 |
| commit | 0f2809025bbbced10c1d66d4f58c16d51ef3176a (patch) | |
| tree | 7df28211d9bcec659d348b8971d76b262456620b | |
| parent | 33b9f8940a5fbd6d685bb05d32a0dc2bb78a40b0 (diff) | |
| download | gnutls-0f2809025bbbced10c1d66d4f58c16d51ef3176a.tar.gz | |
New option --stricttofu for gnutls-cli
With option --tofu, gnutls-cli waits with a yes-no-question upon
certificate changes. I added the option --stricttofu that omits the
question and fails instead.
The contribution is in accordance to the "Developer's Certificate of
Origin" as found in the file doc/DCO.txt.
Best wishes
Jens
Signed-off-by: Jens Lechtenbörger <jens.lechtenboerger@fsfe.org>
| -rw-r--r-- | src/cli-args.def | 9 | ||||
| -rw-r--r-- | src/cli.c | 16 |
2 files changed, 20 insertions, 5 deletions
diff --git a/src/cli-args.def b/src/cli-args.def index 6f9c722bab..252d6ad0e5 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -21,6 +21,14 @@ flag = { }; flag = { + name = strict-tofu; + descrip = "Fail to connect if a known certificate has changed"; + disabled; + disable = "no"; + doc = "This option will perform authentication as with option --tofu; however, while --tofu asks whether to trust a changed certificate, this option will fail in case of certificate changes."; +}; + +flag = { name = dane; descrip = "Enable DANE certificate verification (DNSSEC)"; disabled; @@ -421,4 +429,3 @@ $ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT Notice that the private key only differs from the certificate in the object-type. _EOF_; }; - @@ -421,6 +421,11 @@ static int cert_verify_callback(gnutls_session_t session) int rc; unsigned int status = 0; int ssh = ENABLED_OPT(TOFU); + int strictssh = ENABLED_OPT(STRICT_TOFU); + if (strictssh) { + ssh = strictssh; + } + #ifdef HAVE_DANE int dane = ENABLED_OPT(DANE); #endif @@ -490,10 +495,13 @@ static int cert_verify_callback(gnutls_session_t session) "Its certificate is valid for %s.\n", hostname); - rc = read_yesno - ("Do you trust the received key? (y/N): "); - if (rc == 0) - return -1; + if (strictssh == 0) { + rc = read_yesno + ("Do you trust the received key? (y/N): "); + if (rc == 0) + return -1; + } else return -1; + } else if (rc < 0) { fprintf(stderr, "gnutls_verify_stored_pubkey: %s\n", |