Windows XP doesn't contain a valid CA for our cloud certificate

This is the authentication check and cloud server availability check which
are different from the one git does. The mechanism for overriding things
is different from there, but this should work just as well.

We intercept the SslErrors signal and if we get the known good hash for
our certificate, we simply call it good.

Signed-off-by: Dirk Hohndel <dirk@hohndel.org>

3 files changed, 56 insertions, 10 deletions

diff --git a/checkcloudconnection.cpp b/checkcloudconnection.cpp
index ef37c6a55..b780453fc 100644
--- a/checkcloudconnection.cpp
+++ b/checkcloudconnection.cpp
@@ -28,9 +28,10 @@ bool CheckCloudConnection::checkServer()
 	request.setRawHeader("User-Agent", getUserAgent().toUtf8());
 	request.setUrl(QString(prefs.cloud_base_url) + TEAPOT);
 	QNetworkAccessManager *mgr = new QNetworkAccessManager();
-	QNetworkReply *reply = mgr->get(request);
+	reply = mgr->get(request);
 	connect(&timer, SIGNAL(timeout()), &loop, SLOT(quit()));
 	connect(reply, SIGNAL(finished()), &loop, SLOT(quit()));
+	connect(reply, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(sslErrors(QList<QSslError>)));
 	timer.start(2000); // wait two seconds
 	loop.exec();
 	if (timer.isActive()) {
@@ -44,14 +45,15 @@ bool CheckCloudConnection::checkServer()
 				qWarning() << "Cloud storage: successfully checked connection to cloud server";
 			return true;
 		}
-		// qDebug() << "did not get expected response - server unreachable" <<
-		//	    reply->error() << reply->errorString() <<
-		//	    reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt() <<
-		//	    reply->readAll();
 	} else {
 		disconnect(reply, SIGNAL(finished()), &loop, SLOT(quit()));
 		reply->abort();
 	}
+	if (verbose)
+		qDebug() << "connection test to cloud server failed" <<
+			    reply->error() << reply->errorString() <<
+			    reply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt() <<
+			    reply->readAll();
 	reply->deleteLater();
 	mgr->deleteLater();
 	if (verbose)
@@ -59,10 +61,33 @@ bool CheckCloudConnection::checkServer()
 	return false;
 }
 
+void CheckCloudConnection::sslErrors(QList<QSslError> errorList)
+{
+	if (verbose) {
+		qDebug() << "Received error response trying to set up https connection with cloud storage backend:";
+		Q_FOREACH (QSslError err, errorList) {
+			qDebug() << err.errorString();
+		}
+	}
+	QSslConfiguration conf = reply->sslConfiguration();
+	QSslCertificate cert = conf.peerCertificate();
+	QByteArray hexDigest = cert.digest().toHex();
+	if (reply->url().toString().contains(prefs.cloud_base_url) &&
+	    hexDigest == "13ff44c62996cfa5cd69d6810675490e") {
+		if (verbose)
+			qDebug() << "Overriding SSL check as I recognize the certificate digest" << hexDigest;
+		reply->ignoreSslErrors();
+	} else {
+		if (verbose)
+			qDebug() << "got invalid SSL certificate with hex digest" << hexDigest;
+	}
+}
+
 // helper to be used from C code
 extern "C" bool canReachCloudServer()
 {
 	if (verbose)
 		qWarning() << "Cloud storage: checking connection to cloud server";
-	return CheckCloudConnection::checkServer();
+	CheckCloudConnection *checker = new CheckCloudConnection;
+	return checker->checkServer();
 }
diff --git a/checkcloudconnection.h b/checkcloudconnection.h
index 6c85203ac..58a412797 100644
--- a/checkcloudconnection.h
+++ b/checkcloudconnection.h
@@ -2,6 +2,8 @@
 #define CHECKCLOUDCONNECTION_H
 
 #include <QObject>
+#include <QNetworkReply>
+#include <QSsl>
 
 #include "checkcloudconnection.h"
 
@@ -9,7 +11,12 @@ class CheckCloudConnection : public QObject {
 	Q_OBJECT
 public:
 	CheckCloudConnection(QObject *parent = 0);
-	static bool checkServer();
+	bool checkServer();
+private:
+	QNetworkReply *reply;
+private
+slots:
+	void sslErrors(QList<QSslError> errorList);
 };
 
 #endif // CHECKCLOUDCONNECTION_H
diff --git a/qt-ui/subsurfacewebservices.cpp b/qt-ui/subsurfacewebservices.cpp
index e2e3b3e78..c34ddd7bf 100644
--- a/qt-ui/subsurfacewebservices.cpp
+++ b/qt-ui/subsurfacewebservices.cpp
@@ -1069,8 +1069,22 @@ void CloudStorageAuthenticate::uploadError(QNetworkReply::NetworkError error)
 
 void CloudStorageAuthenticate::sslErrors(QList<QSslError> errorList)
 {
-	qDebug() << "Received error response trying to set up https connection with cloud storage backend:";
-	Q_FOREACH (QSslError err, errorList) {
-		qDebug() << err.errorString();
+	if (verbose) {
+		qDebug() << "Received error response trying to set up https connection with cloud storage backend:";
+		Q_FOREACH (QSslError err, errorList) {
+			qDebug() << err.errorString();
+		}
+	}
+	QSslConfiguration conf = reply->sslConfiguration();
+	QSslCertificate cert = conf.peerCertificate();
+	QByteArray hexDigest = cert.digest().toHex();
+	if (reply->url().toString().contains(prefs.cloud_base_url) &&
+	    hexDigest == "13ff44c62996cfa5cd69d6810675490e") {
+		if (verbose)
+			qDebug() << "Overriding SSL check as I recognize the certificate digest" << hexDigest;
+		reply->ignoreSslErrors();
+	} else {
+		if (verbose)
+			qDebug() << "got invalid SSL certificate with hex digest" << hexDigest;
 	}
 }