fix bug 4143, 'fingerprint in SSL/TLS certificates for ... (regress error)'
[claws.git] / src / gtk / sslcertwindow.c
1 /*
2  * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
3  * Copyright (C) 1999-2019 Colin Leroy <colin@colino.net>
4  * and the Claws Mail team
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 3 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program. If not, see <http://www.gnu.org/licenses/>.
18  * 
19  */
20
21 #ifdef HAVE_CONFIG_H
22 #  include "config.h"
23 #include "claws-features.h"
24 #endif
25
26 #ifdef USE_GNUTLS
27
28 #include <gnutls/gnutls.h>
29 #include <gnutls/x509.h>
30 #include <sys/types.h>
31 #include <sys/stat.h>
32 #include <stdio.h>
33 #include <unistd.h>
34 #include <string.h>
35
36 #include <glib.h>
37 #include <glib/gi18n.h>
38 #include <gtk/gtk.h>
39
40 #include "prefs_common.h"
41 #include "defs.h"
42 #include "ssl_certificate.h"
43 #include "utils.h"
44 #include "alertpanel.h"
45 #include "hooks.h"
46
47 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert);
48 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert);
49 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert);
50
51 static GtkWidget *cert_presenter(SSLCertificate *cert)
52 {
53         GtkWidget *vbox = NULL;
54         GtkWidget *hbox = NULL;
55         GtkWidget *frame_owner = NULL;
56         GtkWidget *frame_signer = NULL;
57         GtkWidget *frame_status = NULL;
58         GtkTable *owner_table = NULL;
59         GtkTable *signer_table = NULL;
60         GtkTable *status_table = NULL;
61         GtkWidget *label = NULL;
62         
63         char *issuer_commonname, *issuer_location, *issuer_organization;
64         char *subject_commonname, *subject_location, *subject_organization;
65         char *sig_status, *exp_date;
66         char *sha1_fingerprint, *sha256_fingerprint, *fingerprint;
67         size_t n;
68         char buf[100];
69         unsigned char md[128];  
70         char *tmp;
71         time_t exp_time_t;
72         struct tm lt;
73         guint ret;
74
75         /* issuer */    
76         issuer_commonname = g_malloc(BUFFSIZE);
77         issuer_location = g_malloc(BUFFSIZE);
78         issuer_organization = g_malloc(BUFFSIZE);
79         subject_commonname = g_malloc(BUFFSIZE);
80         subject_location = g_malloc(BUFFSIZE);
81         subject_organization = g_malloc(BUFFSIZE);
82
83         n = BUFFSIZE;
84         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
85                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, issuer_commonname, &n))
86                 strncpy(issuer_commonname, _("<not in certificate>"), BUFFSIZE);
87         n = BUFFSIZE;
88
89         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
90                 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, issuer_location, &n)) {
91                 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
92                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, issuer_location, &n)) {
93                         strncpy(issuer_location, _("<not in certificate>"), BUFFSIZE);
94                 }
95         } else {
96                 tmp = g_malloc(BUFFSIZE);
97                 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
98                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
99                         strncat(issuer_location, ", ", BUFFSIZE-strlen(issuer_location)-1);
100                         strncat(issuer_location, tmp, BUFFSIZE-strlen(issuer_location)-1);
101                 }
102                 g_free(tmp);
103         }
104
105         n = BUFFSIZE;
106         if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert, 
107                 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer_organization, &n))
108                 strncpy(issuer_organization, _("<not in certificate>"), BUFFSIZE);
109
110         n = BUFFSIZE;
111         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
112                 GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_commonname, &n))
113                 strncpy(subject_commonname, _("<not in certificate>"), BUFFSIZE);
114         n = BUFFSIZE;
115
116         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
117                 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, subject_location, &n)) {
118                 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
119                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, subject_location, &n)) {
120                         strncpy(subject_location, _("<not in certificate>"), BUFFSIZE);
121                 }
122         } else {
123                 tmp = g_malloc(BUFFSIZE);
124                 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
125                         GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
126                         strncat(subject_location, ", ", BUFFSIZE-strlen(subject_location)-1);
127                         strncat(subject_location, tmp, BUFFSIZE-strlen(subject_location)-1);
128                 }
129                 g_free(tmp);
130         }
131
132         n = BUFFSIZE;
133         if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert, 
134                 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, subject_organization, &n))
135                 strncpy(subject_organization, _("<not in certificate>"), BUFFSIZE);
136                 
137         exp_time_t = gnutls_x509_crt_get_expiration_time(cert->x509_cert);
138
139         memset(buf, 0, sizeof(buf));
140         if (exp_time_t > 0) {
141                 fast_strftime(buf, sizeof(buf)-1, prefs_common.date_format, localtime_r(&exp_time_t, &lt));
142                 exp_date = (*buf) ? g_strdup(buf):g_strdup("?");
143         } else
144                 exp_date = g_strdup("");
145
146         /* fingerprints */
147         n = 0;
148         memset(md, 0, sizeof(md));
149         if ((ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n)) == GNUTLS_E_SHORT_MEMORY_BUFFER) {
150                 if (n <= sizeof(md))
151                         ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n);
152         }
153
154         if (ret != 0)
155                 g_warning("failed to obtain SHA1 fingerprint: %d", ret);
156         sha1_fingerprint = readable_fingerprint(md, (int)n); /* all zeroes */
157
158         n = 0;
159         memset(md, 0, sizeof(md));
160         if ((ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n)) == GNUTLS_E_SHORT_MEMORY_BUFFER) {
161                 if (n <= sizeof(md))
162                         ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n);
163         }
164
165         if (ret != 0)
166                 g_warning("failed to obtain SHA256 fingerprint: %d", ret);
167         sha256_fingerprint = readable_fingerprint(md, (int)n); /* all zeroes */
168
169
170         /* signature */
171         sig_status = ssl_certificate_check_signer(cert, cert->status);
172
173         if (sig_status==NULL)
174                 sig_status = g_strdup_printf(_("Correct%s"),exp_time_t < time(NULL)? _(" (expired)"): "");
175         else if (exp_time_t < time(NULL))
176                           sig_status = g_strconcat(sig_status,_(" (expired)"),NULL);
177
178         vbox = gtk_vbox_new(FALSE, 5);
179         hbox = gtk_hbox_new(FALSE, 5);
180         
181         frame_owner  = gtk_frame_new(_("Owner"));
182         frame_signer = gtk_frame_new(_("Signer"));
183         frame_status = gtk_frame_new(_("Status"));
184         
185         owner_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
186         signer_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
187         status_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
188         
189         label = gtk_label_new(_("Name: "));
190         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
191         gtk_table_attach(owner_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
192         label = gtk_label_new(subject_commonname);
193         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
194         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
195         gtk_table_attach(owner_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
196         
197         label = gtk_label_new(_("Organization: "));
198         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
199         gtk_table_attach(owner_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
200         label = gtk_label_new(subject_organization);
201         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
202         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
203         gtk_table_attach(owner_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
204         
205         label = gtk_label_new(_("Location: "));
206         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
207         gtk_table_attach(owner_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
208         label = gtk_label_new(subject_location);
209         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
210         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
211         gtk_table_attach(owner_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
212
213         label = gtk_label_new(_("Name: "));
214         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
215         gtk_table_attach(signer_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
216         label = gtk_label_new(issuer_commonname);
217         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
218         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
219         gtk_table_attach(signer_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
220         
221         label = gtk_label_new(_("Organization: "));
222         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
223         gtk_table_attach(signer_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
224         label = gtk_label_new(issuer_organization);
225         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
226         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
227         gtk_table_attach(signer_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
228         
229         label = gtk_label_new(_("Location: "));
230         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
231         gtk_table_attach(signer_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
232         label = gtk_label_new(issuer_location);
233         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
234         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
235         gtk_table_attach(signer_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
236
237         label = gtk_label_new(_("Fingerprint: \n"));
238         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
239         gtk_table_attach(status_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
240         fingerprint = g_strdup_printf("SHA1: %s\nSHA256: %s",
241                                       sha1_fingerprint, sha256_fingerprint);
242         label = gtk_label_new(fingerprint);
243         g_free(fingerprint);
244         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
245         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
246         gtk_table_attach(status_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
247         label = gtk_label_new(_("Signature status: "));
248         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
249         gtk_table_attach(status_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
250         label = gtk_label_new(sig_status);
251         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
252         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
253         gtk_table_attach(status_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
254         label = gtk_label_new(exp_time_t < time(NULL)? _("Expired on: "): _("Expires on: "));
255         gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
256         gtk_table_attach(status_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
257         label = gtk_label_new(exp_date);
258         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
259         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
260         gtk_table_attach(status_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
261         
262         gtk_container_add(GTK_CONTAINER(frame_owner), GTK_WIDGET(owner_table));
263         gtk_container_add(GTK_CONTAINER(frame_signer), GTK_WIDGET(signer_table));
264         gtk_container_add(GTK_CONTAINER(frame_status), GTK_WIDGET(status_table));
265         
266         gtk_box_pack_end(GTK_BOX(hbox), frame_signer, TRUE, TRUE, 0);
267         gtk_box_pack_end(GTK_BOX(hbox), frame_owner, TRUE, TRUE, 0);
268         gtk_box_pack_end(GTK_BOX(vbox), frame_status, TRUE, TRUE, 0);
269         gtk_box_pack_end(GTK_BOX(vbox), hbox, TRUE, TRUE, 0);
270         
271         gtk_widget_show_all(vbox);
272         
273         g_free(issuer_commonname);
274         g_free(issuer_location);
275         g_free(issuer_organization);
276         g_free(subject_commonname);
277         g_free(subject_location);
278         g_free(subject_organization);
279         g_free(sha1_fingerprint);
280         g_free(sha256_fingerprint);
281         g_free(sig_status);
282         g_free(exp_date);
283         return vbox;
284 }
285
286 static gboolean sslcert_ask_hook(gpointer source, gpointer data)
287 {
288         SSLCertHookData *hookdata = (SSLCertHookData *)source;
289
290         if (hookdata == NULL) {
291                 return FALSE;
292         }
293         
294         if (prefs_common.skip_ssl_cert_check) {
295                 hookdata->accept = TRUE;
296                 return TRUE;
297         }
298
299         if (hookdata->old_cert == NULL) {
300                 if (hookdata->expired)
301                         hookdata->accept = sslcertwindow_ask_expired_cert(hookdata->cert);
302                 else
303                         hookdata->accept = sslcertwindow_ask_new_cert(hookdata->cert);
304         } else {
305                 hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
306         }
307
308         return TRUE;
309 }
310
311 void sslcertwindow_register_hook(void)
312 {
313         hooks_register_hook(SSLCERT_ASK_HOOKLIST, sslcert_ask_hook, NULL);
314 }
315
316 void sslcertwindow_show_cert(SSLCertificate *cert)
317 {
318         GtkWidget *cert_widget = cert_presenter(cert);
319         gchar *buf;
320         
321         buf = g_strdup_printf(_("SSL/TLS certificate for %s"), cert->host);
322         alertpanel_full(buf, NULL, GTK_STOCK_CLOSE, NULL, NULL,
323                         ALERTFOCUS_FIRST, FALSE, cert_widget, ALERT_NOTICE);
324         g_free(buf);
325 }
326
327 static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
328 {
329         gchar *subject_cn = NULL;
330         gchar *str = NULL;
331
332         if (ssl_certificate_check_subject_cn(cert))
333                 return g_strdup("");
334         
335         subject_cn = ssl_certificate_get_subject_cn(cert);
336         
337         str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n"
338                                 "You may be connecting to a rogue server.\n\n"), 
339                                 subject_cn, cert->host);
340         g_free(subject_cn);
341         
342         return str;
343 }
344
345 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
346 {
347         gchar *buf, *sig_status;
348         AlertValue val;
349         GtkWidget *vbox;
350         GtkWidget *label;
351         GtkWidget *button;
352         GtkWidget *cert_widget;
353         gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
354         const gchar *title;
355
356         vbox = gtk_vbox_new(FALSE, 5);
357         buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str);
358         g_free(invalid_str);
359
360         label = gtk_label_new(buf);
361         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
362         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
363         g_free(buf);
364         
365         sig_status = ssl_certificate_check_signer(cert, cert->status);
366         if (sig_status==NULL)
367                 sig_status = g_strdup(_("Correct"));
368
369         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
370         label = gtk_label_new(buf);
371         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
372         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
373         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
374         g_free(buf);
375         g_free(sig_status);
376         
377         button = gtk_expander_new_with_mnemonic(_("_View certificate"));
378         gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
379         cert_widget = cert_presenter(cert);
380         gtk_container_add(GTK_CONTAINER(button), cert_widget);
381
382         if (!ssl_certificate_check_subject_cn(cert))
383                 title = _("SSL/TLS certificate is invalid");
384         else
385                 title = _("SSL/TLS certificate is unknown");
386
387         val = alertpanel_full(title, NULL,
388                               _("_Cancel connection"), _("_Accept and save"), NULL,
389                               ALERTFOCUS_FIRST, FALSE, vbox, ALERT_QUESTION);
390         
391         return (val == G_ALERTALTERNATE);
392 }
393
394 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
395 {
396         gchar *buf, *sig_status;
397         AlertValue val;
398         GtkWidget *vbox;
399         GtkWidget *label;
400         GtkWidget *button;
401         GtkWidget *cert_widget;
402         gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
403         const gchar *title;
404
405         vbox = gtk_vbox_new(FALSE, 5);
406         buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str);
407         g_free(invalid_str);
408
409         label = gtk_label_new(buf);
410         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
411         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
412         g_free(buf);
413         
414         sig_status = ssl_certificate_check_signer(cert, cert->status);
415
416         if (sig_status==NULL)
417                 sig_status = g_strdup(_("Correct"));
418
419         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
420         label = gtk_label_new(buf);
421         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
422         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
423         gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
424         g_free(buf);
425         g_free(sig_status);
426         
427         button = gtk_expander_new_with_mnemonic(_("_View certificate"));
428         gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
429         cert_widget = cert_presenter(cert);
430         gtk_container_add(GTK_CONTAINER(button), cert_widget);
431
432         if (!ssl_certificate_check_subject_cn(cert))
433                 title = _("SSL/TLS certificate is invalid and expired");
434         else
435                 title = _("SSL/TLS certificate is expired");
436
437         val = alertpanel_full(title, NULL,
438                               _("_Cancel connection"), _("_Accept"), NULL,
439                               ALERTFOCUS_FIRST, FALSE, vbox, ALERT_QUESTION);
440         
441         return (val == G_ALERTALTERNATE);
442 }
443
444 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert)
445 {
446         GtkWidget *old_cert_widget = cert_presenter(old_cert);
447         GtkWidget *new_cert_widget = cert_presenter(new_cert);
448         GtkWidget *vbox;
449         gchar *buf, *sig_status;
450         GtkWidget *vbox2;
451         GtkWidget *label;
452         GtkWidget *button;
453         AlertValue val;
454         gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
455         const gchar *title;
456
457         vbox = gtk_vbox_new(FALSE, 5);
458         label = gtk_label_new(_("New certificate:"));
459         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
460         gtk_box_pack_end(GTK_BOX(vbox), new_cert_widget, TRUE, TRUE, 0);
461         gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
462         gtk_box_pack_end(GTK_BOX(vbox), gtk_hseparator_new(), TRUE, TRUE, 0);
463         label = gtk_label_new(_("Known certificate:"));
464         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
465         gtk_box_pack_end(GTK_BOX(vbox), old_cert_widget, TRUE, TRUE, 0);
466         gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
467         gtk_widget_show_all(vbox);
468         
469         vbox2 = gtk_vbox_new(FALSE, 5);
470         buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str);
471         g_free(invalid_str);
472
473         label = gtk_label_new(buf);
474         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
475         gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
476         g_free(buf);
477         
478         sig_status = ssl_certificate_check_signer(new_cert, new_cert->status);
479
480         if (sig_status==NULL)
481                 sig_status = g_strdup(_("Correct"));
482
483         buf = g_strdup_printf(_("Signature status: %s"), sig_status);
484         label = gtk_label_new(buf);
485         gtk_label_set_selectable(GTK_LABEL(label), TRUE);
486         gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
487         gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
488         g_free(buf);
489         g_free(sig_status);
490         
491         button = gtk_expander_new_with_mnemonic(_("_View certificates"));
492         gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
493         gtk_container_add(GTK_CONTAINER(button), vbox);
494
495         if (!ssl_certificate_check_subject_cn(new_cert))
496                 title = _("SSL/TLS certificate changed and is invalid");
497         else
498                 title = _("SSL/TLS certificate changed");
499         val = alertpanel_full(title, NULL,
500                               _("_Cancel connection"), _("_Accept and save"), NULL,
501                               ALERTFOCUS_FIRST, FALSE, vbox2, ALERT_WARNING);
502         
503         return (val == G_ALERTALTERNATE);
504 }
505 #endif