src/gtk/sslcertwindow.c

   1 /*
   2  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
   3  * Copyright (C) 1999-2007 Colin Leroy <colin@colino.net>
   4  * and the Claws Mail team
   5  *
   6  * This program is free software; you can redistribute it and/or modify
   7  * it under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation; either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  * GNU General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #ifdef HAVE_CONFIG_H
  22 #  include "config.h"
  23 #endif
  24
  25 #if (defined(USE_OPENSSL) || defined (USE_GNUTLS))
  26
  27 #if USE_OPENSSL
  28 #include <openssl/ssl.h>
  29 #else
  30 #include <gnutls/gnutls.h>
  31 #include <gnutls/x509.h>
  32 #include <sys/types.h>
  33 #include <sys/stat.h>
  34 #include <stdio.h>
  35 #include <unistd.h>
  36 #include <string.h>
  37 #endif
  38 #include <glib.h>
  39 #include <glib/gi18n.h>
  40 #include <gtk/gtk.h>
  41
  42 #include "prefs_common.h"
  43 #include "defs.h"
  44 #include "ssl_certificate.h"
  45 #include "utils.h"
  46 #include "alertpanel.h"
  47 #include "hooks.h"
  48
  49 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert);
  50 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert);
  51 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert);
  52
  53 static GtkWidget *cert_presenter(SSLCertificate *cert)
  54 {
  55         GtkWidget *vbox = NULL;
  56         GtkWidget *hbox = NULL;
  57         GtkWidget *frame_owner = NULL;
  58         GtkWidget *frame_signer = NULL;
  59         GtkWidget *frame_status = NULL;
  60         GtkTable *owner_table = NULL;
  61         GtkTable *signer_table = NULL;
  62         GtkTable *status_table = NULL;
  63         GtkWidget *label = NULL;
  64
  65         char *issuer_commonname, *issuer_location, *issuer_organization;
  66         char *subject_commonname, *subject_location, *subject_organization;
  67         char *fingerprint, *sig_status, *exp_date;
  68         unsigned int n;
  69         char buf[100];
  70         unsigned char md[128];
  71 #if USE_OPENSSL
  72         ASN1_TIME *validity;
  73 #else
  74         char *tmp;
  75 #endif
  76         time_t exp_time_t;
  77         struct tm lt;
  78
  79         /* issuer */
  80 #if USE_OPENSSL
  81         if (X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert),
  82                                        NID_commonName, buf, 100) >= 0)
  83                 issuer_commonname = g_strdup(buf);
  84         else
  85                 issuer_commonname = g_strdup(_("<not in certificate>"));
  86         if (X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert),
  87                                        NID_localityName, buf, 100) >= 0) {
  88                 issuer_location = g_strdup(buf);
  89                 if (X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert),
  90                                        NID_countryName, buf, 100) >= 0)
  91                         issuer_location = g_strconcat(issuer_location,", ",buf, NULL);
  92         } else if (X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert),
  93                                        NID_countryName, buf, 100) >= 0)
  94                 issuer_location = g_strdup(buf);
  95         else
  96                 issuer_location = g_strdup(_("<not in certificate>"));
  97
  98         if (X509_NAME_get_text_by_NID(X509_get_issuer_name(cert->x509_cert),
  99                                        NID_organizationName, buf, 100) >= 0)
 100                 issuer_organization = g_strdup(buf);
 101         else
 102                 issuer_organization = g_strdup(_("<not in certificate>"));
 103
 104         /* subject */
 105         if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert),
 106                                        NID_commonName, buf, 100) >= 0)
 107                 subject_commonname = g_strdup(buf);
 108         else
 109                 subject_commonname = g_strdup(_("<not in certificate>"));
 110         if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert),
 111                                        NID_localityName, buf, 100) >= 0) {
 112                 subject_location = g_strdup(buf);
 113                 if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert),
 114                                        NID_countryName, buf, 100) >= 0)
 115                         subject_location = g_strconcat(subject_location,", ",buf, NULL);
 116         } else if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert),
 117                                        NID_countryName, buf, 100) >= 0)
 118                 subject_location = g_strdup(buf);
 119         else
 120                 subject_location = g_strdup(_("<not in certificate>"));
 121
 122         if (X509_NAME_get_text_by_NID(X509_get_subject_name(cert->x509_cert),
 123                                        NID_organizationName, buf, 100) >= 0)
 124                 subject_organization = g_strdup(buf);
 125         else
 126                 subject_organization = g_strdup(_("<not in certificate>"));
 127
 128         if ((validity = X509_get_notAfter(cert->x509_cert)) != NULL) {
 129                 exp_time_t = asn1toTime(validity);
 130         } else {
 131                 exp_time_t = (time_t)0;
 132         }
 133 #else
 134         issuer_commonname = g_malloc(BUFFSIZE);
 135         issuer_location = g_malloc(BUFFSIZE);
 136         issuer_organization = g_malloc(BUFFSIZE);
 137         subject_commonname = g_malloc(BUFFSIZE);
 138         subject_location = g_malloc(BUFFSIZE);
 139         subject_organization = g_malloc(BUFFSIZE);
 140
 141         n = BUFFSIZE;
 142         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
 143                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, issuer_commonname, &n))
 144                 strncpy(issuer_commonname, _("<not in certificate>"), BUFFSIZE);
 145         n = BUFFSIZE;
 146
 147         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
 148                 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, issuer_location, &n)) {
 149                 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
 150                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, issuer_location, &n)) {
 151                         strncpy(issuer_location, _("<not in certificate>"), BUFFSIZE);
 152                 }
 153         } else {
 154                 tmp = g_malloc(BUFFSIZE);
 155                 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
 156                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
 157                         strncat(issuer_location, ", ", BUFFSIZE-strlen(issuer_location));
 158                         strncat(issuer_location, tmp, BUFFSIZE-strlen(issuer_location));
 159                 }
 160                 g_free(tmp);
 161         }
 162
 163         n = BUFFSIZE;
 164         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
 165                 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer_organization, &n))
 166                 strncpy(issuer_organization, _("<not in certificate>"), BUFFSIZE);
 167
 168         n = BUFFSIZE;
 169         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
 170                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_commonname, &n))
 171                 strncpy(subject_commonname, _("<not in certificate>"), BUFFSIZE);
 172         n = BUFFSIZE;
 173
 174         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
 175                 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, subject_location, &n)) {
 176                 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
 177                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, subject_location, &n)) {
 178                         strncpy(subject_location, _("<not in certificate>"), BUFFSIZE);
 179                 }
 180         } else {
 181                 tmp = g_malloc(BUFFSIZE);
 182                 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
 183                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
 184                         strncat(subject_location, ", ", BUFFSIZE-strlen(subject_location));
 185                         strncat(subject_location, tmp, BUFFSIZE-strlen(subject_location));
 186                 }
 187                 g_free(tmp);
 188         }
 189
 190         n = BUFFSIZE;
 191         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
 192                 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, subject_organization, &n))
 193                 strncpy(subject_organization, _("<not in certificate>"), BUFFSIZE);
 194
 195         exp_time_t = gnutls_x509_crt_get_expiration_time(cert->x509_cert);
 196 #endif
 197
 198         memset(buf, 0, sizeof(buf));
 199         strftime(buf, sizeof(buf)-1, prefs_common.date_format, localtime_r(&exp_time_t, &lt));
 200         exp_date = (*buf) ? g_strdup(buf):g_strdup("?");
 201
 202         /* fingerprint */
 203 #if USE_OPENSSL
 204         X509_digest(cert->x509_cert, EVP_md5(), md, &n);
 205         fingerprint = readable_fingerprint(md, (int)n);
 206
 207         /* signature */
 208         sig_status = ssl_certificate_check_signer(cert->x509_cert);
 209 #else
 210         n = 128;
 211         gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
 212         fingerprint = readable_fingerprint(md, (int)n);
 213
 214         /* signature */
 215         sig_status = ssl_certificate_check_signer(cert->x509_cert, cert->status);
 216 #endif
 217
 218         if (sig_status==NULL)
 219                 sig_status = g_strdup(_("correct"));
 220
 221         vbox = gtk_vbox_new(FALSE, 5);
 222         hbox = gtk_hbox_new(FALSE, 5);
 223
 224         frame_owner  = gtk_frame_new(_("Owner"));
 225         frame_signer = gtk_frame_new(_("Signer"));
 226         frame_status = gtk_frame_new(_("Status"));
 227
 228         owner_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
 229         signer_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
 230         status_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
 231
 232         label = gtk_label_new(_("Name: "));
 233         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 234         gtk_table_attach(owner_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 235         label = gtk_label_new(subject_commonname);
 236         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 237         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 238         gtk_table_attach(owner_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 239
 240         label = gtk_label_new(_("Organization: "));
 241         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 242         gtk_table_attach(owner_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 243         label = gtk_label_new(subject_organization);
 244         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 245         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 246         gtk_table_attach(owner_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 247
 248         label = gtk_label_new(_("Location: "));
 249         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 250         gtk_table_attach(owner_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 251         label = gtk_label_new(subject_location);
 252         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 253         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 254         gtk_table_attach(owner_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 255
 256         label = gtk_label_new(_("Name: "));
 257         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 258         gtk_table_attach(signer_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 259         label = gtk_label_new(issuer_commonname);
 260         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 261         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 262         gtk_table_attach(signer_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 263
 264         label = gtk_label_new(_("Organization: "));
 265         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 266         gtk_table_attach(signer_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 267         label = gtk_label_new(issuer_organization);
 268         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 269         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 270         gtk_table_attach(signer_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 271
 272         label = gtk_label_new(_("Location: "));
 273         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 274         gtk_table_attach(signer_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 275         label = gtk_label_new(issuer_location);
 276         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 277         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 278         gtk_table_attach(signer_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 279
 280         label = gtk_label_new(_("Fingerprint: "));
 281         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 282         gtk_table_attach(status_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 283         label = gtk_label_new(fingerprint);
 284         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 285         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 286         gtk_table_attach(status_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 287         label = gtk_label_new(_("Signature status: "));
 288         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 289         gtk_table_attach(status_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 290         label = gtk_label_new(sig_status);
 291         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 292         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 293         gtk_table_attach(status_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 294         label = gtk_label_new(_("Expires on: "));
 295         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
 296         gtk_table_attach(status_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 297         label = gtk_label_new(exp_date);
 298         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 299         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 300         gtk_table_attach(status_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
 301
 302         gtk_container_add(GTK_CONTAINER(frame_owner), GTK_WIDGET(owner_table));
 303         gtk_container_add(GTK_CONTAINER(frame_signer), GTK_WIDGET(signer_table));
 304         gtk_container_add(GTK_CONTAINER(frame_status), GTK_WIDGET(status_table));
 305
 306         gtk_box_pack_end(GTK_BOX(hbox), frame_signer, TRUE, TRUE, 0);
 307         gtk_box_pack_end(GTK_BOX(hbox), frame_owner, TRUE, TRUE, 0);
 308         gtk_box_pack_end(GTK_BOX(vbox), frame_status, TRUE, TRUE, 0);
 309         gtk_box_pack_end(GTK_BOX(vbox), hbox, TRUE, TRUE, 0);
 310
 311         gtk_widget_show_all(vbox);
 312
 313         g_free(issuer_commonname);
 314         g_free(issuer_location);
 315         g_free(issuer_organization);
 316         g_free(subject_commonname);
 317         g_free(subject_location);
 318         g_free(subject_organization);
 319         g_free(fingerprint);
 320         g_free(sig_status);
 321         g_free(exp_date);
 322         return vbox;
 323 }
 324
 325 static gboolean sslcert_ask_hook(gpointer source, gpointer data)
 326 {
 327         SSLCertHookData *hookdata = (SSLCertHookData *)source;
 328
 329         if (prefs_common.skip_ssl_cert_check)
 330                 return TRUE;
 331
 332         if (hookdata == NULL) {
 333                 return FALSE;
 334         }
 335         if (hookdata->old_cert == NULL) {
 336                 if (hookdata->expired)
 337                         hookdata->accept = sslcertwindow_ask_expired_cert(hookdata->cert);
 338                 else
 339                         hookdata->accept = sslcertwindow_ask_new_cert(hookdata->cert);
 340         } else {
 341                 hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
 342         }
 343         return TRUE;
 344 }
 345
 346 void sslcertwindow_register_hook(void)
 347 {
 348         hooks_register_hook(SSLCERT_ASK_HOOKLIST, sslcert_ask_hook, NULL);
 349 }
 350
 351 void sslcertwindow_show_cert(SSLCertificate *cert)
 352 {
 353         GtkWidget *cert_widget = cert_presenter(cert);
 354         gchar *buf;
 355
 356         buf = g_strdup_printf(_("SSL certificate for %s"), cert->host);
 357         alertpanel_full(buf, NULL, GTK_STOCK_CLOSE, NULL, NULL,
 358                         FALSE, cert_widget, ALERT_NOTICE, G_ALERTDEFAULT);
 359         g_free(buf);
 360 }
 361
 362 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
 363 {
 364         gchar *buf, *sig_status;
 365         AlertValue val;
 366         GtkWidget *vbox;
 367         GtkWidget *label;
 368         GtkWidget *button;
 369         GtkWidget *cert_widget;
 370
 371         vbox = gtk_vbox_new(FALSE, 5);
 372         buf = g_strdup_printf(_("Certificate for %s is unknown.\nDo you want to accept it?"), cert->host);
 373         label = gtk_label_new(buf);
 374         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 375         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
 376         g_free(buf);
 377
 378 #if USE_OPENSSL
 379         sig_status = ssl_certificate_check_signer(cert->x509_cert);
 380 #else
 381         sig_status = ssl_certificate_check_signer(cert->x509_cert, cert->status);
 382 #endif
 383         if (sig_status==NULL)
 384                 sig_status = g_strdup(_("correct"));
 385
 386         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
 387         label = gtk_label_new(buf);
 388         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 389         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 390         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
 391         g_free(buf);
 392         g_free(sig_status);
 393
 394         button = gtk_expander_new_with_mnemonic(_("_View certificate"));
 395         gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
 396         cert_widget = cert_presenter(cert);
 397         gtk_container_add(GTK_CONTAINER(button), cert_widget);
 398
 399         val = alertpanel_full(_("Unknown SSL Certificate"), NULL,
 400                               _("_Cancel connection"), _("_Accept and save"), NULL,
 401                               FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
 402
 403         return (val == G_ALERTALTERNATE);
 404 }
 405
 406 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
 407 {
 408         gchar *buf, *sig_status;
 409         AlertValue val;
 410         GtkWidget *vbox;
 411         GtkWidget *label;
 412         GtkWidget *button;
 413         GtkWidget *cert_widget;
 414
 415         vbox = gtk_vbox_new(FALSE, 5);
 416         buf = g_strdup_printf(_("Certificate for %s is expired.\nDo you want to continue?"), cert->host);
 417         label = gtk_label_new(buf);
 418         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 419         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
 420         g_free(buf);
 421
 422 #if USE_OPENSSL
 423         sig_status = ssl_certificate_check_signer(cert->x509_cert);
 424 #else
 425         sig_status = ssl_certificate_check_signer(cert->x509_cert, cert->status);
 426 #endif
 427
 428         if (sig_status==NULL)
 429                 sig_status = g_strdup(_("correct"));
 430
 431         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
 432         label = gtk_label_new(buf);
 433         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 434         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 435         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
 436         g_free(buf);
 437         g_free(sig_status);
 438
 439         button = gtk_expander_new_with_mnemonic(_("_View certificate"));
 440         gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
 441         cert_widget = cert_presenter(cert);
 442         gtk_container_add(GTK_CONTAINER(button), cert_widget);
 443
 444         val = alertpanel_full(_("Expired SSL Certificate"), NULL,
 445                               _("_Cancel connection"), _("_Accept"), NULL,
 446                               FALSE, vbox, ALERT_QUESTION, G_ALERTDEFAULT);
 447
 448         return (val == G_ALERTALTERNATE);
 449 }
 450
 451 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert)
 452 {
 453         GtkWidget *old_cert_widget = cert_presenter(old_cert);
 454         GtkWidget *new_cert_widget = cert_presenter(new_cert);
 455         GtkWidget *vbox;
 456         gchar *buf, *sig_status;
 457         GtkWidget *vbox2;
 458         GtkWidget *label;
 459         GtkWidget *button;
 460         AlertValue val;
 461
 462         vbox = gtk_vbox_new(FALSE, 5);
 463         label = gtk_label_new(_("New certificate:"));
 464         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 465         gtk_box_pack_end(GTK_BOX(vbox), new_cert_widget, TRUE, TRUE, 0);
 466         gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
 467         gtk_box_pack_end(GTK_BOX(vbox), gtk_hseparator_new(), TRUE, TRUE, 0);
 468         label = gtk_label_new(_("Known certificate:"));
 469         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 470         gtk_box_pack_end(GTK_BOX(vbox), old_cert_widget, TRUE, TRUE, 0);
 471         gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
 472         gtk_widget_show_all(vbox);
 473
 474         vbox2 = gtk_vbox_new(FALSE, 5);
 475         buf = g_strdup_printf(_("Certificate for %s has changed. Do you want to accept it?"), new_cert->host);
 476         label = gtk_label_new(buf);
 477         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 478         gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
 479         g_free(buf);
 480
 481 #if USE_OPENSSL
 482         sig_status = ssl_certificate_check_signer(new_cert->x509_cert);
 483 #else
 484         sig_status = ssl_certificate_check_signer(new_cert->x509_cert, new_cert->status);
 485 #endif
 486
 487         if (sig_status==NULL)
 488                 sig_status = g_strdup(_("correct"));
 489
 490         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
 491         label = gtk_label_new(buf);
 492         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
 493         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
 494         gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
 495         g_free(buf);
 496         g_free(sig_status);
 497
 498         button = gtk_expander_new_with_mnemonic(_("_View certificates"));
 499         gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
 500         gtk_container_add(GTK_CONTAINER(button), vbox);
 501
 502         val = alertpanel_full(_("Changed SSL Certificate"), NULL,
 503                               _("_Cancel connection"), _("_Accept and save"), NULL,
 504                               FALSE, vbox2, ALERT_WARNING, G_ALERTDEFAULT);
 505
 506         return (val == G_ALERTALTERNATE);
 507 }
 508 #endif