As a first step to improving native SSL support in gnash, this allows connections to untrusted sites when specifically enabled in gnashrc.
SWFs via https:// are pretty hard to find and I haven't found any with trusted certificates. This can be tested with savannah attachments such as: https://savannah.gnu.org/file/png_alpha_test.swf?file_id=13168 At the moment, SSL errors are no curl_easy_getinfo(_handle, CURLINFO_SSL_VERIFYRESULT, &code); ----- Ursprüngliche Mail ---- Von: Benjamin Wolsey <[EMAIL PROTECTED]> An: [email protected] Gesendet: Sonntag, den 30. September 2007, 20:51:28 Uhr Betreff: [Gnash-commit] gnash ChangeLog libbase/curl_adapter.cpp libbas... CVSROOT: /sources/gnash Module name: gnash Changes by: Benjamin Wolsey <bwy> 07/09/30 18:51:28 Modified files: . : ChangeLog libbase : curl_adapter.cpp rc.cpp rc.h Log message: * libbase/curl_adapter.cpp: allow, with security warning, override of curl's SSL certificate verification when requested in gnashrc. Equivalent to curl --insecure. * libbase/rc.{cpp,h}: 'set insecureSSL on' disables SSL certificate verification, thus allowing connections from the standalone player to https:// sites when the certificate is invalid or untrusted. CVSWeb URLs: http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.4482&r2=1.4483 http://cvs.savannah.gnu.org/viewcvs/gnash/libbase/curl_adapter.cpp?cvsroot=gnash&r1=1.39&r2=1.40 http://cvs.savannah.gnu.org/viewcvs/gnash/libbase/rc.cpp?cvsroot=gnash&r1=1.38&r2=1.39 http://cvs.savannah.gnu.org/viewcvs/gnash/libbase/rc.h?cvsroot=gnash&r1=1.27&r2=1.28 Patches: Index: ChangeLog =================================================================== RCS file: /sources/gnash/gnash/ChangeLog,v retrieving revision 1.4482 retrieving revision 1.4483 diff -u -b -r1.4482 -r1.4483 --- ChangeLog 30 Sep 2007 05:24:35 -0000 1.4482 +++ ChangeLog 30 Sep 2007 18:51:27 -0000 1.4483 @@ -1,3 +1,12 @@ +2007-09-30 Benjamin Wolsey <[EMAIL PROTECTED]> + + * libbase/curl_adapter.cpp: allow, with security warning, override + of curl's SSL certificate verification when requested in gnashrc. + Equivalent to curl --insecure. + * libbase/rc.{cpp,h}: 'set insecureSSL on' disables SSL certificate + verification, thus allowing connections from the standalone player + to https:// sites when the certificate is invalid or untrusted. + 2007-09-30 Sandro Santilli <[EMAIL PROTECTED]> * server/environment.{h, cpp}: get_variable_raw() set 'this' to the orignial target Index: libbase/curl_adapter.cpp =================================================================== RCS file: /sources/gnash/gnash/libbase/curl_adapter.cpp,v retrieving revision 1.39 retrieving revision 1..40 diff -u -b -r1.39 -r1.40 --- libbase/curl_adapter.cpp 25 Sep 2007 14:17:20 -0000 1.39 +++ libbase/curl_adapter.cpp 30 Sep 2007 18:51:27 -0000 1.40 @@ -17,7 +17,7 @@ // Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA // -/* $Id: curl_adapter.cpp,v 1.39 2007/09/25 14:17:20 strk Exp $ */ +/* $Id: curl_adapter.cpp,v 1.40 2007/09/30 18:51:27 bwy Exp $ */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -402,7 +402,6 @@ _running = false; } - } /*private*/ @@ -438,6 +437,25 @@ CURLcode ccode; + // Override cURL's default verification of SSL certificates + // This is insecure, so log security warning. + // Equivalent to curl -k or curl --insecure. + if (gnash::RcInitFile::getDefaultInstance().SSLInsecure()) + { + gnash::log_security(_("Allowing connections to SSL sites with invalid" + " or absent certificates")); + + ccode = curl_easy_setopt(_handle, CURLOPT_SSL_VERIFYPEER, 0); + if ( ccode != CURLE_OK ) { + throw gnash::GnashException(curl_easy_strerror(ccode)); + } + + ccode = curl_easy_setopt(_handle, CURLOPT_SSL_VERIFYHOST, 0); + if ( ccode != CURLE_OK ) { + throw gnash::GnashException(curl_easy_strerror(ccode)); + } + } + ccode = curl_easy_setopt(_handle, CURLOPT_USERAGENT, "Gnash-" VERSION); if ( ccode != CURLE_OK ) { throw gnash::GnashException(curl_easy_strerror(ccode)); @@ -646,6 +664,7 @@ _running = false; return false; } + } if ( fseek(_cache, 0, SEEK_END) == -1 ) { Index: libbase/rc.cpp =================================================================== RCS file: /sources/gnash/gnash/libbase/rc.cpp,v retrieving revision 1.38 retrieving revision 1.39 diff -u -b -r1.38 -r1.39 --- libbase/rc.cpp 28 Sep 2007 16:12:27 -0000 1.38 +++ libbase/rc.cpp 30 Sep 2007 18:51:27 -0000 1.39 @@ -80,6 +80,7 @@ _plugin_sound(true), _extensionsEnabled(false), _startStopped(false), + _SSLInsecure(false), _streamsTimeout(DEFAULT_STREAMS_TIMEOUT) { @@ -326,7 +327,7 @@ } // Read in each line and parse it - while (!in.eof()) { + do { // Make sure action is empty, otherwise the last loop (with no new // data) keeps action, variable and value from the previous loop. This @@ -389,6 +390,8 @@ value); extractSetting(&_localdomain_only, "localdomain", variable, value); + extractSetting(&_SSLInsecure, "InsecureSSL", variable, + value); extractSetting(&_debugger, "debugger", variable, value); extractSetting(&_actiondump, "actionDump", variable, value); extractSetting(&_parserdump, "parserDump", variable, value); @@ -409,7 +412,7 @@ extractNumber(&_verbosity, "verbosity", variable, value); } } - } + } while (!in.eof()); } else { if (in) { @@ -515,6 +518,8 @@ << ((_localhost_only)?"enabled":"disabled") << endl; cerr << "\tWrite Debug Log To Disk: " << ((_writelog)?"enabled":"disabled") << endl; + cerr << "\tAllow insecure SSL connections: " + << ((_SSLInsecure)?"yes":"no") << endl; cerr << "\tEnable sound: " << ((_sound)?"enabled":"disabled") << endl; cerr << "\tEnable Plugin sound: " Index: libbase/rc.h =================================================================== RCS file: /sources/gnash/gnash/libbase/rc.h,v retrieving revision 1.27 retrieving revision 1.28 diff -u -b -r1.27 -r1.28 --- libbase/rc.h 28 Sep 2007 15:44:03 -0000 1.27 +++ libbase/rc.h 30 Sep 2007 18:51:27 -0000 1.28 @@ -73,6 +73,8 @@ /// bool startStopped() const { return _startStopped; } + bool SSLInsecure() const { return _SSLInsecure; } + int verbosityLevel() const { return _verbosity; } void verbosityLevel(int value) { _verbosity = value; } @@ -155,6 +157,9 @@ bool _startStopped; // whether to start the gui in "stop" mode + bool _SSLInsecure; // When TRUE, does not verify SSL certificates + // so is INSECURE. + /// The number of seconds of inactivity triggering download timeout double _streamsTimeout; _______________________________________________ Gnash-commit mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-commit Machen Sie Yahoo! zu Ihrer Startseite. Los geht's: http://de.yahoo.com/set _______________________________________________ Gnash-commit mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-commit
