Improving SSL status information from library.

Perry Werneck
1 parent e6c441c5
Showing 7 changed files with 98 additions and 58 deletions Show diff stats
src/include/lib3270/popup.h
src/lib3270/private.h
src/lib3270/properties.c
src/lib3270/session.c
src/lib3270/ssl/ctx_init.c
src/lib3270/ssl/linux/getcrl.c
src/lib3270/ssl/state.c
@@ -68,7 +68,8 @@
 	LIB3270_EXPORT void lib3270_popup_va(H3270 *session, LIB3270_NOTIFY id , const char *title, const char *message, const char *fmt, va_list);
-	LIB3270_EXPORT LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession);
+	LIB3270_EXPORT LIB3270_NOTIFY	lib3270_get_ssl_state_icon(H3270 *hSession);
+	LIB3270_EXPORT const char *		lib3270_get_ssl_state_icon_name(H3270 *hSession);
 #ifdef __cplusplus
 	}
@@ -610,7 +610,11 @@ struct _h3270
 		LIB3270_SSL_STATE	  state;
 		unsigned long 		  error;
 #ifdef SSL_ENABLE_CRL_CHECK
-		char				* crl;
+		struct
+		{
+			char			* url;
+			X509_CRL 		* cert;
+		} crl;
 #endif // SSL_ENABLE_CRL_CHECK
 		SSL 				* con;
 	} ssl;
@@ -704,7 +708,7 @@ LIB3270_INTERNAL int	non_blocking(H3270 *session, Boolean on);
 	LIB3270_INTERNAL int ssl_3270_ex_index;
 	#ifdef SSL_ENABLE_CRL_CHECK
-		X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message);
+		int lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message);
 	#endif // SSL_ENABLE_CRL_CHECK
 #endif
@@ -297,8 +297,8 @@
  const char * lib3270_get_crl_url(H3270 *hSession)
  {
 #ifdef SSL_ENABLE_CRL_CHECK
-	if(hSession->ssl.crl)
-		return hSession->ssl.crl;
+	if(hSession->ssl.url)
+		return hSession->ssl.url;
 #ifdef SSL_DEFAULT_CRL_URL
 	return SSL_DEFAULT_CRL_URL;
@@ -75,12 +75,17 @@ void lib3270_session_free(H3270 *h)
 	shutdown_toggles(h);
 #ifdef SSL_ENABLE_CRL_CHECK
-	if(h->ssl.crl)
+	if(h->ssl.crl.url)
 	{
-		free(h->ssl.crl);
-		h->ssl.crl = NULL;
+		free(h->ssl.url);
+		h->ssl.url = NULL;
+	}
+
+	if(h->ssl.crl.cert)
+	{
+		X509_CRL_free(h->ssl.crl.cert);
+		h->ssl.crl.cert = NULL;
 	}
-#endif // SSL_ENABLE_CRL_CHECK
 	// Release state change callbacks
 	for(f=0;f<LIB3270_STATE_USER;f++)
@@ -92,6 +97,7 @@ void lib3270_session_free(H3270 *h)
 			h->st_callbacks[f] = next;
 		}
 	}
+#endif // SSL_ENABLE_CRL_CHECK
 	// Release memory
 	#define release_pointer(x) lib3270_free(x); x = NULL;
@@ -63,14 +63,6 @@
 /*--[ Implement ]------------------------------------------------------------------------------------*/
-#ifdef SSL_ENABLE_CRL_CHECK
-static inline void lib3270_autoptr_cleanup_X509_CRL(X509_CRL **crl)
-{
-	if(*crl)
-		X509_CRL_free(*crl);
-}
-#endif // SSL_ENABLE_CRL_CHECK
-
 /**
  * @brief Initialize openssl library.
  *
@@ -138,9 +130,7 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 	//
 	// https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
 	//
-	lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message);
-
-	if(!crl)
+	if(lib3270_get_X509_CRL(hSession,message))
 		return  -1;
 	if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
@@ -170,6 +160,7 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
 	X509_STORE_set1_param(store, param);
 	X509_VERIFY_PARAM_free(param);
+
 #endif // SSL_ENABLE_CRL_CHECK
 	return 0;
@@ -215,9 +215,8 @@ static int internal_curl_trace_callback(CURL *handle unused, curl_infotype type,
 #endif // HAVE_LIBCURL
-X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
+int lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 {
-	X509_CRL	* crl = NULL;
 	const char	* consturl = lib3270_get_crl_url(hSession);
 	if(!(consturl && *consturl))
@@ -226,7 +225,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 		message->title = N_( "Security error" );
 		message->text = N_( "Can't open CRL File" );
 		message->description = N_("The URL for the CRL is undefined or empty");
-		return NULL;
+		return errno = ENOENT;
 	}
 	trace_ssl(hSession, "crl=%s\n",consturl);
@@ -238,17 +237,19 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 		if(!hCRL)
 		{
 			// Can't open CRL File.
+			int err = errno;
+
 			message->error = hSession->ssl.error = 0;
 			message->title = N_( "Security error" );
 			message->text = N_( "Can't open CRL File" );
 			message->description = strerror(errno);
 			lib3270_write_log(hSession,"ssl","Can't open %s: %s",consturl,message->description);
-			return NULL;
+			return err;
 		}
 		lib3270_write_log(hSession,"ssl","Loading CRL from %s",consturl+7);
-		d2i_X509_CRL_fp(hCRL, &crl);
+		d2i_X509_CRL_fp(hCRL, &hSession->ssl.crl.cert);
 	}
 #ifdef HAVE_LDAP
@@ -265,7 +266,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->title = N_( "Security error" );
 			message->text = N_( "No DN of the entry at which to start the search on the URL" );
 			message->description = _( "The URL argument should be in the format ldap://[HOST]/[DN]?attribute" );
-			return NULL;
+			return errno = EINVAL;
 		}
 		*(base++) = 0;
@@ -277,7 +278,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->title = N_( "Security error" );
 			message->text = N_( "No LDAP attribute on the URL" );
 			message->description = _( "The URL argument should be in the format ldap://[HOST]/[DN]?attribute" );
-			return NULL;
+			return errno = EINVAL;
 		}
         *(attrs[0]++) = 0;
@@ -298,7 +299,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->text = N_( "Can't initialize LDAP" );
 			message->description = ldap_err2string(rc);
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
-			return NULL;
+			return -1;
 		}
 		unsigned long version = LDAP_VERSION3;
@@ -309,7 +310,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->text = N_( "Can't set LDAP version" );
 			message->description = ldap_err2string(rc);
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
-			return NULL;
+			return -1;
 		}
 		rc = ldap_simple_bind_s(ld, "", "");
@@ -320,7 +321,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->text = N_( "Can't bind to LDAP server" );
 			message->description = ldap_err2string(rc);
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
-			return NULL;
+			return -1;
 		}
 		lib3270_autoptr(LDAPMessage) results = NULL;
@@ -345,7 +346,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->text = N_( "Can't search LDAP server" );
 			message->description = ldap_err2string(rc);
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
-			return NULL;
+			return -1;
 		}
 		char __attribute__ ((__cleanup__(lib3270_autoptr_cleanup_LDAPPTR))) *attr = ldap_first_attribute(ld, results, &ber);
@@ -356,7 +357,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->text = N_( "Can't get LDAP attribute" );
 			message->description = N_("Search did not produce any attributes.");
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
-			return NULL;
+			return errno = ENOENT;
 		}
 		struct berval ** value = ldap_get_values_len(ld, results, attr);
@@ -367,7 +368,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 			message->text = N_( "Can't get LDAP attribute" );
 			message->description = N_("Search did not produce any values.");
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
-			return NULL;
+			return errno = ENOENT;
 		}
 		if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
@@ -383,12 +384,14 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 		// Precisa salvar uma cópia porque d2i_X509_CRL modifica o ponteiro.
 		const unsigned char *crl_data = (const unsigned char *) value[0]->bv_val;
-		if(!d2i_X509_CRL(&crl, &crl_data, value[0]->bv_len))
+		if(!d2i_X509_CRL(&hSession->ssl.crl.cert, &crl_data, value[0]->bv_len))
 		{
 			message->error = hSession->ssl.error = ERR_get_error();
 			message->title = N_( "Security error" );
 			message->text = N_( "Can't get CRL from LDAP Search" );
 			lib3270_write_log(hSession,"ssl","%s: %s",url, message->text);
+			ldap_value_free_len(value);
+			return -1;
 		}
 		ldap_value_free_len(value);
@@ -448,7 +451,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 				}
 				lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
-				return NULL;
+				return -1;
 			}
@@ -461,21 +464,8 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 				message->text = N_( "Error loading CRL" );
 				message->description =  curl_easy_strerror(res);
 				lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
-				return NULL;
-			}
-
-			/*
-			if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
-			{
-				lib3270_autoptr(char) msg = lib3270_strdup_printf("CRL Data received with content-type \"%s\"", (ct ? ct : "undefined"));
-				lib3270_trace_data(
-					hSession,
-					msg,
-					(const char *) crl_data->contents,
-					crl_data->length
-				);
+				return -1;
 			}
-			*/
 			if(ct)
 			{
@@ -484,13 +474,13 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 				if(strcasecmp(ct,"application/pkix-crl") == 0)
 				{
 					// CRL File, convert it
-					if(!d2i_X509_CRL(&crl, &data, crl_data->length))
+					if(!d2i_X509_CRL(&hSession->ssl.crl.cert, &data, crl_data->length))
 					{
 						message->error = hSession->ssl.error = ERR_get_error();
 						message->title = N_( "Security error" );
 						message->text = N_( "Got an invalid CRL from server" );
 						lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
-						return NULL;
+						return -1;
 					}
 				}
 				else
@@ -499,7 +489,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 					message->title = N_( "Security error" );
 					message->text = N_( "Got an invalid CRL from server" );
 					lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct);
-					return NULL;
+					return -1;
 				}
 			}
 			else if(strncasecmp(consturl,"ldap://",7) == 0)
@@ -512,7 +502,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 					message->title = N_( "Security error" );
 					message->text = N_( "Got an invalid CRL from LDAP server" );
 					lib3270_write_log(hSession,"ssl","%s: invalid format:\n%s\n",consturl, crl_data->contents);
-					return NULL;
+					return -1;
 				}
 				data += 3;
@@ -523,13 +513,13 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 				BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
-				if(!d2i_X509_CRL_bio(bio, &crl))
+				if(!d2i_X509_CRL_bio(bio, &hSession->ssl.crl.cert))
 				{
 					message->error = hSession->ssl.error = ERR_get_error();
 					message->title = N_( "Security error" );
 					message->text = N_( "Got an invalid CRL from server" );
 					lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
-					return NULL;
+					return -1;
 				}
 			}
@@ -544,11 +534,11 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
 		message->text = N_( "Unexpected or invalid CRL URL" );
 		message->description = N_("The URL scheme is unknown");
 		lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
-		return NULL;
+		return errno = EINVAL;
 #endif // HAVE_LIBCURL
 	}
-	return crl;
+	return hSession->ssl.crl.cert == NULL ? -1 : 0;
 }
@@ -84,6 +84,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
  {
 	long			  id;
 	LIB3270_NOTIFY	  icon;
+	const char		* iconName;		// Icon name from https://specifications.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html
 	const char		* message;
 	const char		* description;
  }
@@ -93,6 +94,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_OK,
 		LIB3270_NOTIFY_SECURE,
+		"security-high",
 		N_( "Secure connection was successful." ),
 		N_( "The connection is secure and the host identity was confirmed." )
 	},
@@ -100,6 +102,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Unable to get issuer certificate" ),
 		N_( "The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete." )
 	},
@@ -107,6 +110,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_GET_CRL,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Unable to get certificate CRL." ),
 		N_( "The Certificate revocation list (CRL) of a certificate could not be found." )
 	},
@@ -114,6 +118,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Unable to decrypt certificate's signature" ),
 		N_( "The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys." )
 	},
@@ -121,6 +126,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Unable to decrypt CRL's signature" ),
 		N_( "The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused." )
 	},
@@ -128,6 +134,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Unable to decode issuer public key" ),
 		N_( "The public key in the certificate SubjectPublicKeyInfo could not be read." )
 	},
@@ -135,6 +142,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CERT_SIGNATURE_FAILURE,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Certificate signature failure" ),
 		N_( "The signature of the certificate is invalid." )
 	},
@@ -142,6 +150,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CRL_SIGNATURE_FAILURE,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "CRL signature failure" ),
 		N_( "The signature of the certificate is invalid." )
 	},
@@ -149,6 +158,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CERT_NOT_YET_VALID,
 		LIB3270_NOTIFY_WARNING,
+		"dialog-warning",
 		N_( "Certificate is not yet valid" ),
 		N_( "The certificate is not yet valid: the notBefore date is after the current time." )
 	},
@@ -156,6 +166,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CERT_HAS_EXPIRED,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Certificate has expired" ),
 		N_( "The certificate has expired: that is the notAfter date is before the current time." )
 	},
@@ -163,6 +174,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CRL_NOT_YET_VALID,
 		LIB3270_NOTIFY_WARNING,
+		"dialog-error",
 		N_( "The CRL is not yet valid." ),
 		N_( "The Certificate revocation list (CRL) is not yet valid." )
 	},
@@ -174,6 +186,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 #else
 		LIB3270_NOTIFY_WARNING,
 #endif // SSL_ENABLE_CRL_EXPIRATION_CHECK
+		"security-medium",
 		N_( "The CRL has expired." ),
 		N_( "The Certificate revocation list (CRL) has expired.")
 	},
@@ -181,6 +194,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Format error in certificate's notBefore field" ),
 		N_( "The certificate notBefore field contains an invalid time." )
 	},
@@ -188,6 +202,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Format error in certificate's notAfter field" ),
 		N_( "The certificate notAfter field contains an invalid time." )
 	},
@@ -195,6 +210,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Format error in CRL's lastUpdate field" ),
 		N_( "The CRL lastUpdate field contains an invalid time." )
 	},
@@ -202,6 +218,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Format error in CRL's nextUpdate field" ),
 		N_( "The CRL nextUpdate field contains an invalid time." )
 	},
@@ -209,6 +226,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_OUT_OF_MEM,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Out of memory" ),
 		N_( "An error occurred trying to allocate memory. This should never happen." )
 	},
@@ -216,6 +234,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
 		LIB3270_NOTIFY_WARNING,
+		"security-medium",
 		N_( "Self signed certificate" ),
 		N_( "The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates." )
 	},
@@ -224,10 +243,12 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 		X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
 #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
 		LIB3270_NOTIFY_ERROR,
+		"security-medium",
 		N_( "The SSL certificate for this host is not trusted." ),
 		N_( "The security certificate presented by this host was not issued by a trusted certificate authority." )
 #else
 		LIB3270_NOTIFY_WARNING,
+		"security-medium",
 		N_( "Self signed certificate in certificate chain" ),
 		N_( "The certificate chain could be built up using the untrusted certificates but the root could not be found locally." )
 #endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK
@@ -236,6 +257,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
 		LIB3270_NOTIFY_WARNING,
+		"security-low",
 		N_( "Unable to get local issuer certificate" ),
 		N_( "The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found." )
 	},
@@ -243,6 +265,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
 		LIB3270_NOTIFY_ERROR,
+		"security-low",
 		N_( "Unable to verify the first certificate" ),
 		N_( "No signatures could be verified because the chain contains only one certificate and it is not self signed." )
 	},
@@ -250,6 +273,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CERT_REVOKED,
 		LIB3270_NOTIFY_ERROR,
+		"security-low",
 		N_( "Certificate revoked" ),
 		N_( "The certificate has been revoked." )
 	},
@@ -257,6 +281,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_INVALID_CA,
 		LIB3270_NOTIFY_ERROR,
+		"security-low",
 		N_( "Invalid CA certificate" ),
 		N_( "A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose." )
 	},
@@ -264,6 +289,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_PATH_LENGTH_EXCEEDED,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Path length constraint exceeded" ),
 		N_( "The basicConstraints pathlength parameter has been exceeded." ),
 	},
@@ -271,6 +297,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_INVALID_PURPOSE,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Unsupported certificate purpose" ),
 		N_( "The supplied certificate cannot be used for the specified purpose." )
 	},
@@ -278,6 +305,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CERT_UNTRUSTED,
 		LIB3270_NOTIFY_WARNING,
+		"security-low",
 		N_( "Certificate not trusted" ),
 		N_( "The root CA is not marked as trusted for the specified purpose." )
 	},
@@ -285,6 +313,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_CERT_REJECTED,
 		LIB3270_NOTIFY_ERROR,
+		"security-low",
 		N_( "Certificate rejected" ),
 		N_( "The root CA is marked to reject the specified purpose." )
 	},
@@ -292,6 +321,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
 		LIB3270_NOTIFY_ERROR,
+		"security-low",
 		N_( "Subject issuer mismatch" ),
 		N_( "The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set." )
 	},
@@ -299,6 +329,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_AKID_SKID_MISMATCH,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Authority and subject key identifier mismatch" ),
 		N_( "The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set." )
 	},
@@ -306,6 +337,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Authority and issuer serial number mismatch" ),
 		N_( "The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set." )
 	},
@@ -313,6 +345,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 	{
 		X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
 		LIB3270_NOTIFY_ERROR,
+		"dialog-error",
 		N_( "Key usage does not include certificate signing" ),
 		N_( "The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing." )
 	}
@@ -341,9 +374,24 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
 			return gettext(info->message);
 	}
-	return lib3270_get_hostname(hSession);
+	return _( "The connection is insecure" );
+
+ }
+
+ const char	* lib3270_get_ssl_state_icon_name(H3270 *hSession)
+ {
+	if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
+	{
+		const struct ssl_status_msg *info = get_ssl_status_msg(hSession);
+		if(info)
+			return info->iconName;
+	}
+
+	return "dialog-error";
+
  }
+
  const char * lib3270_get_ssl_state_description(H3270 *hSession)
  {
 	if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
	@@ -68,7 +68,8 @@		@@ -68,7 +68,8 @@
68		68
69	LIB3270_EXPORT void lib3270_popup_va(H3270 session, LIB3270_NOTIFY id , const char title, const char message, const char fmt, va_list);	69	LIB3270_EXPORT void lib3270_popup_va(H3270 session, LIB3270_NOTIFY id , const char title, const char message, const char fmt, va_list);
70		70
71	- LIB3270_EXPORT LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession);	71	+ LIB3270_EXPORT LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession);
		72	+ LIB3270_EXPORT const char * lib3270_get_ssl_state_icon_name(H3270 *hSession);
72		73
73	#ifdef __cplusplus	74	#ifdef __cplusplus
74	}	75	}