commit 6bb2e20e6981dc2b32978ef30f5756da1ed54b36
parent a2aff0d2a55304d91a49e795c6d7dc0e481c6912
Author: Solderpunk <solderpunk@sdf.org>
Date: Sun, 10 May 2020 13:44:40 +0200
Try to prevent 'certificate leaks' when visiting a new domain with an active client cert.
Diffstat:
1 file changed, 19 insertions(+), 0 deletions(-)
diff --git a/av98.py b/av98.py
@@ -219,6 +219,7 @@ class GeminiClient(cmd.Cmd):
self.client_certs = {
"active": None
}
+ self.active_cert_domains = []
self.options = {
"debug" : False,
@@ -261,6 +262,17 @@ class GeminiClient(cmd.Cmd):
new_gi = GeminiItem(self.permanent_redirects[gi.url], name=gi.name)
self._go_to_gi(new_gi)
return
+ # Be careful with client certificates
+ if self.active_cert_domains and gi.host not in self.active_cert_domains:
+ print("PRIVACY ALERT: Deactivate client cert before connecting to a new domain?")
+ resp = input("Y/N? ")
+ if resp.lower in ("n", "no"):
+ print("Keeping certificate active for {}".format(gi.host))
+ else:
+ print("Deactivating certificate.")
+ self.client_certs["active"] = None
+ self.active_cert_domains = []
+ self.prompt = self.no_cert_prompt
# Do everything which touches the network in one block,
# so we only need to catch exceptions once
try:
@@ -465,6 +477,11 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
self._debug("Established {} connection.".format(s.version()))
self._debug("Cipher is: {}.".format(s.cipher()))
+ # Remember that we showed the current cert to this domain...
+ if self.client_certs["active"]:
+ self.active_cert_domains.append(gi.host)
+ self.client_certs[gi.host] = self.client_certs["active"]
+
# Send request and wrap response in a file descriptor
self._debug("Sending %s<CRLF>" % gi.url)
s.sendall((gi.url + CRLF).encode("UTF-8"))
@@ -677,6 +694,7 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
if self.client_certs["active"]:
print("Deactivating client certificate.")
self.client_certs["active"] = None
+ self.active_cert_domains = []
self.prompt = self.no_cert_prompt
else:
print("Loading client certificate file, in PEM format (blank line to cancel)")
@@ -684,6 +702,7 @@ Slow internet connection? Use 'set timeout' to be more patient.""")
print("Loading private key file, in PEM format (blank line to cancel)")
keyfile = input("Keyfile path: ")
self.client_certs["active"] = (certfile, keyfile)
+ self.active_cert_domains = []
self.prompt = self.cert_prompt
@restricted