70cc4f9e8c381126dd25e253efb7f009b04365e9
[claws.git] / src / gtk / sslcertwindow.c
1 /*
2  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
3  * Copyright (C) 1999-2016 Colin Leroy <colin@colino.net>
4  * and the Claws Mail team
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program. If not, see <http://www.gnu.org/licenses/>.
18  * 
19  */
20
21 #ifdef HAVE_CONFIG_H
22 #  include "config.h"
23 #include "claws-features.h"
24 #endif
25
26 #ifdef USE_GNUTLS
27
28 #include <gnutls/gnutls.h>
29 #include <gnutls/x509.h>
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <stdio.h>
33 #include <unistd.h>
34 #include <string.h>
35
36 #include <glib.h>
37 #include <glib/gi18n.h>
38 #include <gtk/gtk.h>
39
40 #include "prefs_common.h"
41 #include "defs.h"
42 #include "ssl_certificate.h"
43 #include "utils.h"
44 #include "alertpanel.h"
45 #include "hooks.h"
46
47 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert);
48 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert);
49 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert);
50
51 static GtkWidget *cert_presenter(SSLCertificate *cert)
52 {
53         GtkWidget *vbox = NULL;
54         GtkWidget *hbox = NULL;
55         GtkWidget *frame_owner = NULL;
56         GtkWidget *frame_signer = NULL;
57         GtkWidget *frame_status = NULL;
58         GtkTable *owner_table = NULL;
59         GtkTable *signer_table = NULL;
60         GtkTable *status_table = NULL;
61         GtkWidget *label = NULL;
62         
63         char *issuer_commonname, *issuer_location, *issuer_organization;
64         char *subject_commonname, *subject_location, *subject_organization;
65         char *sig_status, *exp_date;
66         char *md5_fingerprint, *sha1_fingerprint, *sha256_fingerprint, *fingerprint;
67         size_t n;
68         char buf[100];
69         unsigned char md[128];  
70         char *tmp;
71         time_t exp_time_t;
72         struct tm lt;
73
74         /* issuer */    
75         issuer_commonname = g_malloc(BUFFSIZE);
76         issuer_location = g_malloc(BUFFSIZE);
77         issuer_organization = g_malloc(BUFFSIZE);
78         subject_commonname = g_malloc(BUFFSIZE);
79         subject_location = g_malloc(BUFFSIZE);
80         subject_organization = g_malloc(BUFFSIZE);
81
82         n = BUFFSIZE;
83         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
84                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, issuer_commonname, &n))
85                 strncpy(issuer_commonname, _("<not in certificate>"), BUFFSIZE);
86         n = BUFFSIZE;
87
88         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
89                 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, issuer_location, &n)) {
90                 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
91                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, issuer_location, &n)) {
92                         strncpy(issuer_location, _("<not in certificate>"), BUFFSIZE);
93                 }
94         } else {
95                 tmp = g_malloc(BUFFSIZE);
96                 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
97                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
98                         strncat(issuer_location, ", ", BUFFSIZE-strlen(issuer_location)-1);
99                         strncat(issuer_location, tmp, BUFFSIZE-strlen(issuer_location)-1);
100                 }
101                 g_free(tmp);
102         }
103
104         n = BUFFSIZE;
105         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
106                 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer_organization, &n))
107                 strncpy(issuer_organization, _("<not in certificate>"), BUFFSIZE);
108
109         n = BUFFSIZE;
110         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
111                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_commonname, &n))
112                 strncpy(subject_commonname, _("<not in certificate>"), BUFFSIZE);
113         n = BUFFSIZE;
114
115         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
116                 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, subject_location, &n)) {
117                 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
118                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, subject_location, &n)) {
119                         strncpy(subject_location, _("<not in certificate>"), BUFFSIZE);
120                 }
121         } else {
122                 tmp = g_malloc(BUFFSIZE);
123                 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
124                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
125                         strncat(subject_location, ", ", BUFFSIZE-strlen(subject_location)-1);
126                         strncat(subject_location, tmp, BUFFSIZE-strlen(subject_location)-1);
127                 }
128                 g_free(tmp);
129         }
130
131         n = BUFFSIZE;
132         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
133                 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, subject_organization, &n))
134                 strncpy(subject_organization, _("<not in certificate>"), BUFFSIZE);
135                 
136         exp_time_t = gnutls_x509_crt_get_expiration_time(cert->x509_cert);
137
138         memset(buf, 0, sizeof(buf));
139         if (exp_time_t > 0) {
140                 fast_strftime(buf, sizeof(buf)-1, prefs_common.date_format, localtime_r(&exp_time_t, &lt));
141                 exp_date = (*buf) ? g_strdup(buf):g_strdup("?");
142         } else
143                 exp_date = g_strdup("");
144
145         /* fingerprint */
146         n = 128;
147         gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
148         md5_fingerprint = readable_fingerprint(md, (int)n);
149         n = 128;
150         gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n);
151         sha1_fingerprint = readable_fingerprint(md, (int)n);
152         n = 128;
153         gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n);
154         sha256_fingerprint = readable_fingerprint(md, (int)n);
155
156
157         /* signature */
158         sig_status = ssl_certificate_check_signer(cert, cert->status);
159
160         if (sig_status==NULL)
161                 sig_status = g_strdup(_("Correct"));
162
163         vbox = gtk_vbox_new(FALSE, 5);
164         hbox = gtk_hbox_new(FALSE, 5);
165         
166         frame_owner  = gtk_frame_new(_("Owner"));
167         frame_signer = gtk_frame_new(_("Signer"));
168         frame_status = gtk_frame_new(_("Status"));
169         
170         owner_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
171         signer_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
172         status_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
173         
174         label = gtk_label_new(_("Name: "));
175         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
176         gtk_table_attach(owner_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
177         label = gtk_label_new(subject_commonname);
178         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
179         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
180         gtk_table_attach(owner_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
181         
182         label = gtk_label_new(_("Organization: "));
183         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
184         gtk_table_attach(owner_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
185         label = gtk_label_new(subject_organization);
186         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
187         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
188         gtk_table_attach(owner_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
189         
190         label = gtk_label_new(_("Location: "));
191         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
192         gtk_table_attach(owner_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
193         label = gtk_label_new(subject_location);
194         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
195         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
196         gtk_table_attach(owner_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
197
198         label = gtk_label_new(_("Name: "));
199         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
200         gtk_table_attach(signer_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
201         label = gtk_label_new(issuer_commonname);
202         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
203         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
204         gtk_table_attach(signer_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
205         
206         label = gtk_label_new(_("Organization: "));
207         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
208         gtk_table_attach(signer_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
209         label = gtk_label_new(issuer_organization);
210         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
211         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
212         gtk_table_attach(signer_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
213         
214         label = gtk_label_new(_("Location: "));
215         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
216         gtk_table_attach(signer_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
217         label = gtk_label_new(issuer_location);
218         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
219         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
220         gtk_table_attach(signer_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
221
222         label = gtk_label_new(_("Fingerprint: \n"));
223         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
224         gtk_table_attach(status_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
225         fingerprint = g_strdup_printf("MD5: %s\nSHA1: %s\nSHA256: %s",
226                         md5_fingerprint, sha1_fingerprint, sha256_fingerprint);
227         label = gtk_label_new(fingerprint);
228         g_free(fingerprint);
229         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
230         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
231         gtk_table_attach(status_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
232         label = gtk_label_new(_("Signature status: "));
233         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
234         gtk_table_attach(status_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
235         label = gtk_label_new(sig_status);
236         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
237         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
238         gtk_table_attach(status_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
239         label = gtk_label_new(_("Expires on: "));
240         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
241         gtk_table_attach(status_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
242         label = gtk_label_new(exp_date);
243         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
244         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
245         gtk_table_attach(status_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
246         
247         gtk_container_add(GTK_CONTAINER(frame_owner), GTK_WIDGET(owner_table));
248         gtk_container_add(GTK_CONTAINER(frame_signer), GTK_WIDGET(signer_table));
249         gtk_container_add(GTK_CONTAINER(frame_status), GTK_WIDGET(status_table));
250         
251         gtk_box_pack_end(GTK_BOX(hbox), frame_signer, TRUE, TRUE, 0);
252         gtk_box_pack_end(GTK_BOX(hbox), frame_owner, TRUE, TRUE, 0);
253         gtk_box_pack_end(GTK_BOX(vbox), frame_status, TRUE, TRUE, 0);
254         gtk_box_pack_end(GTK_BOX(vbox), hbox, TRUE, TRUE, 0);
255         
256         gtk_widget_show_all(vbox);
257         
258         g_free(issuer_commonname);
259         g_free(issuer_location);
260         g_free(issuer_organization);
261         g_free(subject_commonname);
262         g_free(subject_location);
263         g_free(subject_organization);
264         g_free(md5_fingerprint);
265         g_free(sha1_fingerprint);
266         g_free(sha256_fingerprint);
267         g_free(sig_status);
268         g_free(exp_date);
269         return vbox;
270 }
271
272 static gboolean sslcert_ask_hook(gpointer source, gpointer data)
273 {
274         SSLCertHookData *hookdata = (SSLCertHookData *)source;
275
276         if (hookdata == NULL) {
277                 return FALSE;
278         }
279         
280         if (prefs_common.skip_ssl_cert_check) {
281                 hookdata->accept = TRUE;
282                 return TRUE;
283         }
284
285         if (hookdata->old_cert == NULL) {
286                 if (hookdata->expired)
287                         hookdata->accept = sslcertwindow_ask_expired_cert(hookdata->cert);
288                 else
289                         hookdata->accept = sslcertwindow_ask_new_cert(hookdata->cert);
290         } else {
291                 hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
292         }
293
294         return TRUE;
295 }
296
297 void sslcertwindow_register_hook(void)
298 {
299         hooks_register_hook(SSLCERT_ASK_HOOKLIST, sslcert_ask_hook, NULL);
300 }
301
302 void sslcertwindow_show_cert(SSLCertificate *cert)
303 {
304         GtkWidget *cert_widget = cert_presenter(cert);
305         gchar *buf;
306         
307         buf = g_strdup_printf(_("SSL/TLS certificate for %s"), cert->host);
308         alertpanel_full(buf, NULL, GTK_STOCK_CLOSE, NULL, NULL,
309                         ALERTFOCUS_FIRST, FALSE, cert_widget, ALERT_NOTICE);
310         g_free(buf);
311 }
312
313 static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
314 {
315         gchar *subject_cn = NULL;
316         gchar *str = NULL;
317
318         if (ssl_certificate_check_subject_cn(cert))
319                 return g_strdup("");
320         
321         subject_cn = ssl_certificate_get_subject_cn(cert);
322         
323         str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n"
324                                 "You may be connecting to a rogue server.\n\n"), 
325                                 subject_cn, cert->host);
326         g_free(subject_cn);
327         
328         return str;
329 }
330
331 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
332 {
333         gchar *buf, *sig_status;
334         AlertValue val;
335         GtkWidget *vbox;
336         GtkWidget *label;
337         GtkWidget *button;
338         GtkWidget *cert_widget;
339         gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
340         const gchar *title;
341
342         vbox = gtk_vbox_new(FALSE, 5);
343         buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str);
344         g_free(invalid_str);
345
346         label = gtk_label_new(buf);
347         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
348         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
349         g_free(buf);
350         
351         sig_status = ssl_certificate_check_signer(cert, cert->status);
352         if (sig_status==NULL)
353                 sig_status = g_strdup(_("Correct"));
354
355         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
356         label = gtk_label_new(buf);
357         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
358         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
359         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
360         g_free(buf);
361         g_free(sig_status);
362         
363         button = gtk_expander_new_with_mnemonic(_("_View certificate"));
364         gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
365         cert_widget = cert_presenter(cert);
366         gtk_container_add(GTK_CONTAINER(button), cert_widget);
367
368         if (!ssl_certificate_check_subject_cn(cert))
369                 title = _("SSL/TLS certificate is invalid");
370         else
371                 title = _("SSL/TLS certificate is unknown");
372
373         val = alertpanel_full(title, NULL,
374                               _("_Cancel connection"), _("_Accept and save"), NULL,
375                               ALERTFOCUS_FIRST, FALSE, vbox, ALERT_QUESTION);
376         
377         return (val == G_ALERTALTERNATE);
378 }
379
380 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
381 {
382         gchar *buf, *sig_status;
383         AlertValue val;
384         GtkWidget *vbox;
385         GtkWidget *label;
386         GtkWidget *button;
387         GtkWidget *cert_widget;
388         gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
389         const gchar *title;
390
391         vbox = gtk_vbox_new(FALSE, 5);
392         buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str);
393         g_free(invalid_str);
394
395         label = gtk_label_new(buf);
396         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
397         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
398         g_free(buf);
399         
400         sig_status = ssl_certificate_check_signer(cert, cert->status);
401
402         if (sig_status==NULL)
403                 sig_status = g_strdup(_("Correct"));
404
405         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
406         label = gtk_label_new(buf);
407         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
408         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
409         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
410         g_free(buf);
411         g_free(sig_status);
412         
413         button = gtk_expander_new_with_mnemonic(_("_View certificate"));
414         gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
415         cert_widget = cert_presenter(cert);
416         gtk_container_add(GTK_CONTAINER(button), cert_widget);
417
418         if (!ssl_certificate_check_subject_cn(cert))
419                 title = _("SSL/TLS certificate is invalid and expired");
420         else
421                 title = _("SSL/TLS certificate is expired");
422
423         val = alertpanel_full(title, NULL,
424                               _("_Cancel connection"), _("_Accept"), NULL,
425                               ALERTFOCUS_FIRST, FALSE, vbox, ALERT_QUESTION);
426         
427         return (val == G_ALERTALTERNATE);
428 }
429
430 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert)
431 {
432         GtkWidget *old_cert_widget = cert_presenter(old_cert);
433         GtkWidget *new_cert_widget = cert_presenter(new_cert);
434         GtkWidget *vbox;
435         gchar *buf, *sig_status;
436         GtkWidget *vbox2;
437         GtkWidget *label;
438         GtkWidget *button;
439         AlertValue val;
440         gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
441         const gchar *title;
442
443         vbox = gtk_vbox_new(FALSE, 5);
444         label = gtk_label_new(_("New certificate:"));
445         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
446         gtk_box_pack_end(GTK_BOX(vbox), new_cert_widget, TRUE, TRUE, 0);
447         gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
448         gtk_box_pack_end(GTK_BOX(vbox), gtk_hseparator_new(), TRUE, TRUE, 0);
449         label = gtk_label_new(_("Known certificate:"));
450         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
451         gtk_box_pack_end(GTK_BOX(vbox), old_cert_widget, TRUE, TRUE, 0);
452         gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
453         gtk_widget_show_all(vbox);
454         
455         vbox2 = gtk_vbox_new(FALSE, 5);
456         buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str);
457         g_free(invalid_str);
458
459         label = gtk_label_new(buf);
460         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
461         gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
462         g_free(buf);
463         
464         sig_status = ssl_certificate_check_signer(new_cert, new_cert->status);
465
466         if (sig_status==NULL)
467                 sig_status = g_strdup(_("Correct"));
468
469         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
470         label = gtk_label_new(buf);
471         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
472         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
473         gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
474         g_free(buf);
475         g_free(sig_status);
476         
477         button = gtk_expander_new_with_mnemonic(_("_View certificates"));
478         gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
479         gtk_container_add(GTK_CONTAINER(button), vbox);
480
481         if (!ssl_certificate_check_subject_cn(new_cert))
482                 title = _("SSL/TLS certificate changed and is invalid");
483         else
484                 title = _("SSL/TLS certificate changed");
485         val = alertpanel_full(title, NULL,
486                               _("_Cancel connection"), _("_Accept and save"), NULL,
487                               ALERTFOCUS_FIRST, FALSE, vbox2, ALERT_WARNING);
488         
489         return (val == G_ALERTALTERNATE);
490 }
491 #endif