Request OCSP validation data from the server during the SSL handshake.

Signed-off-by: alex-z <blackslayer4@gmail.com>

NEXTCLOUD.cmake

@@ -11,6 +11,7 @@ set( APPLICATION_SERVER_URL "" CACHE STRING "URL for the server to use. If enter
 set( APPLICATION_SERVER_URL_ENFORCE ON ) # If set and APPLICATION_SERVER_URL is defined, the server can only connect to the pre-defined URL
 set( APPLICATION_REV_DOMAIN "com.nextcloud.desktopclient" )
 set( APPLICATION_VIRTUALFILE_SUFFIX "nextcloud" CACHE STRING "Virtual file suffix (not including the .)")
+set( APPLICATION_OCSP_STAPLING_ENABLED OFF )
 
 set( LINUX_PACKAGE_SHORTNAME "nextcloud" )
 set( LINUX_APPLICATION_ID "${APPLICATION_REV_DOMAIN}.${LINUX_PACKAGE_SHORTNAME}")

config.h.in

@@ -29,6 +29,7 @@
 #cmakedefine APPLICATION_WIZARD_HEADER_TITLE_COLOR "@APPLICATION_WIZARD_HEADER_TITLE_COLOR@"
 #cmakedefine APPLICATION_WIZARD_USE_CUSTOM_LOGO "@APPLICATION_WIZARD_USE_CUSTOM_LOGO@"
 #cmakedefine APPLICATION_VIRTUALFILE_SUFFIX "@APPLICATION_VIRTUALFILE_SUFFIX@"
+#cmakedefine APPLICATION_OCSP_STAPLING_ENABLED "@APPLICATION_OCSP_STAPLING_ENABLED@"
 #define APPLICATION_DOTVIRTUALFILE_SUFFIX "." APPLICATION_VIRTUALFILE_SUFFIX
 
 #cmakedefine ZLIB_FOUND @ZLIB_FOUND@

src/gui/sslerrordialog.cpp

@@ -105,6 +105,8 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
 
     QStringList errorStrings;
 
+    QStringList additionalErrorStrings;
+
     QList<QSslCertificate> trustedCerts = _account->approvedCerts();
 
     for (int i = 0; i < errors.count(); ++i) {
@@ -115,6 +117,8 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
         errorStrings += error.errorString();
         if (!error.certificate().isNull()) {
             _unknownCerts.append(error.certificate());
+        } else {
+            additionalErrorStrings.append(error.errorString());
         }
     }
 
@@ -132,6 +136,7 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
     msg += QL("<h3>") + tr("Cannot connect securely to <i>%1</i>:").arg(host) + QL("</h3>");
     // loop over the unknown certs and line up their errors.
     msg += QL("<div id=\"ca_errors\">");
+
     foreach (const QSslCertificate &cert, _unknownCerts) {
         msg += QL("<div id=\"ca_error\">");
         // add the errors for this cert
@@ -146,6 +151,17 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
             msg += QL("<hr/>");
         }
     }
+
+    if (!additionalErrorStrings.isEmpty()) {
+        msg += QL("<h3>") + tr("Additional errors:") + QL("</h3>");
+
+        for (const auto &errorString : additionalErrorStrings) {
+            msg += QL("<div id=\"ca_error\">");
+            msg += QL("<p>") + errorString + QL("</p>");
+            msg += QL("</div>");
+        }
+    }
+
     msg += QL("</div></body></html>");
 
     auto *doc = new QTextDocument(nullptr);

src/libsync/account.cpp

@@ -389,6 +389,8 @@ QSslConfiguration Account::getOrCreateSslConfig()
     sslConfig.setSslOption(QSsl::SslOptionDisableSessionSharing, false);
     sslConfig.setSslOption(QSsl::SslOptionDisableSessionPersistence, false);
 
+    sslConfig.setOcspStaplingEnabled(Theme::instance()->enableStaplingOCSP());
+
     return sslConfig;
 }
 

src/libsync/theme.cpp

@@ -399,6 +399,15 @@ bool Theme::forceOverrideServerUrl() const
 #endif
 }
 
+bool Theme::enableStaplingOCSP() const
+{
+#ifdef APPLICATION_OCSP_STAPLING_ENABLED
+    return true;
+#else
+    return false;
+#endif
+}
+
 QString Theme::forceConfigAuthType() const
 {
     return QString();

src/libsync/theme.h

@@ -239,6 +239,13 @@ public:
      * When true, the respective UI controls will be disabled
      */
     virtual bool forceOverrideServerUrl() const;
+    
+    /**
+     * Enable OCSP stapling for SSL handshakes
+     *
+     * When true, peer will be requested for Online Certificate Status Protocol response
+     */
+    virtual bool enableStaplingOCSP() const;
 
     /**
      * This is only usefull when previous version had a different overrideServerUrl