The branch, master has been updated via 1a4504aefb145446c9011fb34743aa8535db3b7b (commit) from 2053e46bfda54ca967f01e637576c65697427952 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1a4504aefb145446c9011fb34743aa8535db3b7b Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Tue Oct 29 16:39:43 2013 +0100 Add option --broker-cacertfile. Allow usage of non-system-wide installed (self-signed) SSL certificate chains for https (SSL) session broker connections. (Fixes: #311). ----------------------------------------------------------------------- Summary of changes: debian/changelog | 3 +++ httpbrokerclient.cpp | 30 ++++++++++++++++++++---------- httpbrokerclient.h | 2 ++ man/man1/x2goclient.1 | 3 +++ onmainwindow.cpp | 5 +++++ onmainwindow.h | 1 + 6 files changed, 34 insertions(+), 10 deletions(-) The diff of changes is: diff --git a/debian/changelog b/debian/changelog index e069591..78908d6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,6 +11,9 @@ x2goclient (4.0.1.2-0~x2go2) UNRELEASED; urgency=low + Perform sanity checks on data that comes in from X2Go Servers. Prohibit the execution of arbitrary code via the ~/.bashrc file. (Fixes: #333). + + Add option --broker-cacertfile. Allow usage of non-system-wide + installed (self-signed) SSL certificate chains for https (SSL) + session broker connections. (Fixes: #311). * Pull-in packaging changes from Debian. [ Ricardo Díaz Martín ] diff --git a/httpbrokerclient.cpp b/httpbrokerclient.cpp index 6d16b7b..5bf9caf 100644 --- a/httpbrokerclient.cpp +++ b/httpbrokerclient.cpp @@ -21,6 +21,7 @@ #include <QTextStream> #include <QFile> #include <QDir> +#include <QSslSocket> #include "x2gologdebug.h" #include <QMessageBox> #include <QDateTime> @@ -41,10 +42,6 @@ HttpBrokerClient::HttpBrokerClient ( ONMainWindow* wnd, ConfigFile* cfg ) QUrl lurl ( config->brokerurl ); if(lurl.userName().length()>0) config->brokerUser=lurl.userName(); - /* - * load self-signed / custome (root-)CA certificate - * see. http://www.thomaskeller.biz/blog/2009/01/03/ssl-verification-with-qt-and-a-c... - */ if(config->brokerurl.indexOf("ssh://")==0) { @@ -58,18 +55,31 @@ HttpBrokerClient::HttpBrokerClient ( ONMainWindow* wnd, ConfigFile* cfg ) else { sshBroker=false; + http=new QHttp ( this ); - if ( config->brokerurl.indexOf ( "https://" ) ==0 ) + + if ( config->brokerurl.indexOf ( "https://" ) ==0 ) { + if ((config->brokerCaCertFile.length() >0) && (QFile::exists(config->brokerCaCertFile))) { + + sslSocket = new QSslSocket(this); + connect ( sslSocket, SIGNAL ( sslErrors ( const QList<QSslError>& ) ),this, + SLOT ( slotSslErrors ( const QList<QSslError>& ) ) ); + http->setSocket(sslSocket); + sslSocket->addCaCertificates(config->brokerCaCertFile, QSsl::Pem); + x2goDebug<<"Custom CA certificate file loaded into HTTPS broker client: "<<config->brokerCaCertFile; + + } else { + connect ( http, SIGNAL ( sslErrors ( const QList<QSslError>& ) ),this, + SLOT ( slotSslErrors ( const QList<QSslError>& ) ) ); + } http->setHost ( lurl.host(),QHttp::ConnectionModeHttps, lurl.port ( 443 ) ); - else + } else { http->setHost ( lurl.host(),QHttp::ConnectionModeHttp, lurl.port ( 80 ) ); - + } connect ( http,SIGNAL ( requestFinished ( int,bool ) ),this, SLOT ( slotRequestFinished ( int,bool ) ) ); - connect ( http,SIGNAL ( sslErrors ( const QList<QSslError>& ) ),this, - SLOT ( slotSslErrors ( const QList<QSslError>& ) ) ); } } @@ -520,7 +530,7 @@ void HttpBrokerClient::slotSslErrors ( const QList<QSslError> & errors ) QSslCertificate cert; for ( int i=0; i<errors.count(); ++i ) { - x2goDebug<<"sslError ,code:"<<errors[i].error() <<":"; + x2goDebug<<"sslError, code:"<<errors[i].error() <<":"; err<<errors[i].errorString(); if ( !errors[i].certificate().isNull() ) cert=errors[i].certificate(); diff --git a/httpbrokerclient.h b/httpbrokerclient.h index 78218dc..fc4115d 100644 --- a/httpbrokerclient.h +++ b/httpbrokerclient.h @@ -22,6 +22,7 @@ #include <QBuffer> #include <QObject> #include <QDateTime> +#include <QSslSocket> #include "sshmasterconnection.h" /** @author Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> @@ -43,6 +44,7 @@ private: QBuffer httpCmdAnswer; QBuffer httpSessionAnswer; QHttp* http; + QSslSocket* sslSocket; int sessionsRequest; int selSessRequest; int chPassRequest; diff --git a/man/man1/x2goclient.1 b/man/man1/x2goclient.1 index 9eb69ae..8f77f87 100644 --- a/man/man1/x2goclient.1 +++ b/man/man1/x2goclient.1 @@ -106,6 +106,9 @@ In case you want to retrieve \fBx2goclient\fR session profiles from an X2Go Sess \*(T<\fB\-\-broker-url=<URL>\fR\*(T> Specify the <URL> of the X2Go Session Broker. X2Go Client can access http:// and ssh:// style URLs. .TP +\*(T<\fB\-\-broker-cacertfile=</path/to/cafile.crt>\fR\*(T> +Specify a special (self-signed) root-CACert file that shall get used when connecting to an X2Go Session Broker via https (SSL). +.TP \*(T<\fB\-\-broker-noauth\fR\*(T> The X2Go Session Broker is accessible without authentication. .TP diff --git a/onmainwindow.cpp b/onmainwindow.cpp index 3036ecd..d0a3108 100644 --- a/onmainwindow.cpp +++ b/onmainwindow.cpp @@ -6597,6 +6597,11 @@ bool ONMainWindow::parseParameter ( QString param ) config.brokerurl=value; return true; } + if ( setting == "--broker-cacertfile") + { + config.brokerCaCertFile=value; + return true; + } if ( setting == "--broker-ssh-key") { config.brokerSshKey=value; diff --git a/onmainwindow.h b/onmainwindow.h index 70504d2..7e1d02c 100644 --- a/onmainwindow.h +++ b/onmainwindow.h @@ -168,6 +168,7 @@ struct ConfigFile bool brokerAutologin; bool brokerAutologoff; QString brokerSshKey; + QString brokerCaCertFile; QString iniFile; QString server; QString serverIp;//Can be different from server (use for loadballancing) hooks/post-receive -- x2goclient.git (X2Go Client) This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "x2goclient.git" (X2Go Client).