Forbid trusting the untrusted certificate.

Signed-off-by: alex-z <blackslayer4@gmail.com>

NEXTCLOUD.cmake

@@ -12,6 +12,7 @@ set( APPLICATION_SERVER_URL_ENFORCE ON ) # If set and APPLICATION_SERVER_URL is
 set( APPLICATION_REV_DOMAIN "com.nextcloud.desktopclient" )
 set( APPLICATION_VIRTUALFILE_SUFFIX "nextcloud" CACHE STRING "Virtual file suffix (not including the .)")
 set( APPLICATION_OCSP_STAPLING_ENABLED OFF )
+set( APPLICATION_FORBID_BAD_SSL OFF )
 
 set( LINUX_PACKAGE_SHORTNAME "nextcloud" )
 set( LINUX_APPLICATION_ID "${APPLICATION_REV_DOMAIN}.${LINUX_PACKAGE_SHORTNAME}")

config.h.in

@@ -30,6 +30,7 @@
 #cmakedefine APPLICATION_WIZARD_USE_CUSTOM_LOGO "@APPLICATION_WIZARD_USE_CUSTOM_LOGO@"
 #cmakedefine APPLICATION_VIRTUALFILE_SUFFIX "@APPLICATION_VIRTUALFILE_SUFFIX@"
 #cmakedefine APPLICATION_OCSP_STAPLING_ENABLED "@APPLICATION_OCSP_STAPLING_ENABLED@"
+#cmakedefine APPLICATION_FORBID_BAD_SSL "@APPLICATION_FORBID_BAD_SSL@"
 #define APPLICATION_DOTVIRTUALFILE_SUFFIX "." APPLICATION_VIRTUALFILE_SUFFIX
 
 #cmakedefine ZLIB_FOUND @ZLIB_FOUND@

src/gui/sslerrordialog.cpp

@@ -13,6 +13,7 @@
  */
 #include "configfile.h"
 #include "sslerrordialog.h"
+#include "theme.h"
 
 #include <QtGui>
 #include <QtNetwork>
@@ -68,6 +69,8 @@ SslErrorDialog::SslErrorDialog(AccountPtr account, QWidget *parent)
     QPushButton *cancelButton =
         _ui->_dialogButtonBox->button(QDialogButtonBox::Cancel);
     okButton->setEnabled(false);
+
+    _ui->_cbTrustConnect->setEnabled(!Theme::instance()->forbidBadSSL());
     connect(_ui->_cbTrustConnect, &QAbstractButton::clicked,
         okButton, &QWidget::setEnabled);
 
@@ -136,7 +139,6 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
     msg += QL("<h3>") + tr("Cannot connect securely to <i>%1</i>:").arg(host) + QL("</h3>");
     // loop over the unknown certs and line up their errors.
     msg += QL("<div id=\"ca_errors\">");
-
     foreach (const QSslCertificate &cert, _unknownCerts) {
         msg += QL("<div id=\"ca_error\">");
         // add the errors for this cert
@@ -153,7 +155,7 @@ bool SslErrorDialog::checkFailingCertsKnown(const QList<QSslError> &errors)
     }
 
     if (!additionalErrorStrings.isEmpty()) {
-        msg += QL("<h3>") + tr("Additional errors:") + QL("</h3>");
+        msg += QL("<h4>") + tr("Additional errors:") + QL("</h4>");
 
         for (const auto &errorString : additionalErrorStrings) {
             msg += QL("<div id=\"ca_error\">");

src/libsync/theme.cpp

@@ -408,6 +408,15 @@ bool Theme::enableStaplingOCSP() const
 #endif
 }
 
+bool Theme::forbidBadSSL() const
+{
+#ifdef APPLICATION_FORBID_BAD_SSL
+    return true;
+#else
+    return false;
+#endif
+}
+
 QString Theme::forceConfigAuthType() const
 {
     return QString();

src/libsync/theme.h

@@ -247,6 +247,13 @@ public:
      */
     virtual bool enableStaplingOCSP() const;
 
+    /**
+     * Enforce SSL validity
+     *
+     * When true, trusting the untrusted certificate is not allowed
+     */
+    virtual bool forbidBadSSL() const;
+
     /**
      * This is only usefull when previous version had a different overrideServerUrl
      * with a different auth type in that case You should then specify "http" or "shibboleth".