Allow the core to use expired certificates.

[quassel.git] / src / core / sslserver.cpp

diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp
index 78adb82..987db4b 100644 (file)
--- a/src/core/sslserver.cpp
+++ b/src/core/sslserver.cpp
@@ -25,21 +25,25 @@
 #endif
 
 #include <QFile>
-#include <QDebug>
 
 #include "logger.h"
-#include "util.h"
+#include "quassel.h"
 
 #ifdef HAVE_SSL
 
 SslServer::SslServer(QObject *parent)
-  : QTcpServer(parent)
+  : QTcpServer(parent),
+  _isCertValid(false)
 {
-  if (! setCertificate(quasselDir().absolutePath() + "/quasselCert.pem")) {
-    qWarning()
-      << "SslServer: Unable to set certificate file\n"
-      << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
-      << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+  static bool sslWarningShown = false;
+  if(!setCertificate(Quassel::configDirPath() + "quasselCert.pem")) {
+    if(!sslWarningShown) {
+      quWarning()
+        << "SslServer: Unable to set certificate file\n"
+        << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"
+        << "          Please see http://quassel-irc.org/faq/cert to learn how to enable SSL support.";
+      sslWarningShown=true;
+    }
   }
 }
 
@@ -53,9 +57,10 @@ QTcpSocket *SslServer::nextPendingConnection() {
 void SslServer::incomingConnection(int socketDescriptor) {
   QSslSocket *serverSocket = new QSslSocket(this);
   if(serverSocket->setSocketDescriptor(socketDescriptor)) {
-    if(certIsValid()) {
+    if(isCertValid()) {
       serverSocket->setLocalCertificate(_cert);
       serverSocket->setPrivateKey(_key);
+      serverSocket->addCaCertificates(_ca);
     }
     _pendingConnections << serverSocket;
     emit newConnection();
@@ -65,50 +70,60 @@ void SslServer::incomingConnection(int socketDescriptor) {
 }
 
 bool SslServer::setCertificate(const QString &path) {
-  _certIsValid = false;
+  _isCertValid = false;
 
-  if (path.isNull()) {
+  if(path.isEmpty())
     return false;
-  }
 
   QFile certFile(path);
-  if (! certFile.exists()) {
-    qWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
+  if(!certFile.exists()) {
+    quWarning() << "SslServer: Certificate file" << qPrintable(path) << "does not exist";
     return false;
   }
 
-  if (! certFile.open(QIODevice::ReadOnly)) {
-    qWarning()
+  if(!certFile.open(QIODevice::ReadOnly)) {
+    quWarning()
       << "SslServer: Failed to open certificate file" << qPrintable(path)
       << "error:" << certFile.error();
     return false;
   }
-  _cert = QSslCertificate(&certFile);
 
-  if (! certFile.reset()) {
-    qWarning() << "SslServer: IO error reading certificate file";
+  QList<QSslCertificate> certList = QSslCertificate::fromDevice(&certFile);
+
+  if (certList.isEmpty()) {
+    quWarning() << "SslServer: Certificate file doesn't contain a certificate";
+    return false;
+  }
+
+  _cert = certList[0];
+  certList.removeFirst(); // remove server cert
+
+  // store CA and intermediates certs
+  _ca = certList;
+
+  if(!certFile.reset()) {
+    quWarning() << "SslServer: IO error reading certificate file";
     return false;
   }
 
   _key = QSslKey(&certFile, QSsl::Rsa);
   certFile.close();
 
-  if (_cert.isNull()) {
-    qWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
+  if(_cert.isNull()) {
+    quWarning() << "SslServer:" << qPrintable(path) << "contains no certificate data";
     return false;
   }
-  if (! _cert.isValid()) {
-    qWarning() << "SslServer: Invalid certificate";
-    return false;
+  if(!_cert.isValid()) {
+    quWarning() << "SslServer: Invalid certificate (most likely expired)";
   }
-  if (_key.isNull()) {
-    qWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
+  if(_key.isNull()) {
+    quWarning() << "SslServer:" << qPrintable(path) << "contains no key data";
     return false;
   }
 
-  _certIsValid = true;
+  _isCertValid = true;
 
-  return _certIsValid;
+  return _isCertValid;
 }
 
 #endif // HAVE_SSL