Merge pull request #31 from PerryWerneck/develop

Fixing win32 SSL certificate error.

Merge pull request #31 from PerryWerneck/develop
Fixing win32 SSL certificate error.
Perry Werneck · GitHub
2 parents 7ddc463f c8fb0e03
Showing 10 changed files with 169 additions and 63 deletions Show diff stats
.vscode/c_cpp_properties.json
configure.ac
debian/rules
locale/pt_BR.po
rpm/_service
rpm/lib3270.spec
src/network_modules/openssl/context.c
src/network_modules/openssl/messages.c
src/network_modules/state.c
src/testprogram/testprogram.c
@@ -16,7 +16,8 @@
             "compilerPath": "C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.23.28105/bin/Hostx64/x64/cl.exe",
             "cStandard": "c11",
             "cppStandard": "c++17",
-            "intelliSenseMode": "msvc-x64"
+            "intelliSenseMode": "msvc-x64",
+            "configurationProvider": "ms-vscode.makefile-tools"
         }
     ],
     "version": 4
@@ -389,11 +389,11 @@ dnl SSL Security options
 dnl ---------------------------------------------------------------------------
 AC_ARG_ENABLE([self-signed-cert-check],
-	[AS_HELP_STRING([--enable-self-signed-cert-check], [Reject SSL connection when host presents a self signed certificate])],
+	[AS_HELP_STRING([--enable-self-signed-cert-check], [Emit Warning when host presents a self signed certificate])],
 [
 	app_cv_self_signed_certs="$enableval"
 ],[
-	app_cv_self_signed_certs="no"
+	app_cv_self_signed_certs="yes"
 ])
 if test "$app_cv_self_signed_certs" == "yes"; then
@@ -518,7 +518,7 @@ AC_ARG_WITH([sdk-version], [AS_HELP_STRING([--with-sdk-version], [Setup library 
 AC_DEFINE(LIB3270_SDK_VERSION,$app_cv_sdkversion,[The SDK version number])
 AC_SUBST(LIB3270_SDK_VERSION,$app_cv_sdkversion)
-AC_ARG_WITH([default-host], [AS_HELP_STRING([--with-default-host], [Set lib3270 default host url])], 
+AC_ARG_WITH([default-host], [AS_HELP_STRING([--with-default-host], [Set lib3270 default host url])],
 	[ app_default_host="\"$withval\""],
 	[ app_default_host=""])
@@ -650,7 +650,7 @@ case &quot;$host&quot; in
 	*-apple-darwin*)
 		AC_PATH_TOOL([CURLCONFIG], [curl-config], [no])
-		
+
 		if test x$CURLCONFIG = xno; then
         	AC_MSG_NOTICE([Building without CURL support])
 			AC_SUBST(LIBCURL_CFLAGS)
@@ -662,13 +662,13 @@ case &quot;$host&quot; in
 			AC_SUBST(LIBCURL_LIBS,"$($CURLCONFIG --libs)")
 		fi
 		;;
-		
+
 	*)
 		PKG_CHECK_MODULES( [LIBCURL], [libcurl], AC_DEFINE(HAVE_LIBCURL,[],[Do we have libcurl?]), AC_MSG_ERROR([libcurl not present.]) )
 		AC_SUBST(LIBCURL_CFLAGS)
 		AC_SUBST(LIBCURL_LIBS)
 		;;
-	
+
 esac
 dnl ---------------------------------------------------------------------------
@@ -23,14 +23,8 @@ build-stamp:
 	dh_testdir
 	# Add here commands to compile the package.
-	aclocal
-	autoconf
-    
-	mkdir -p scripts
-	automake --add-missing 2> /dev/null | true
- 
+	NOCONFIGURE=1 ./autogen.sh 
 	./configure --prefix=/usr --disable-static
-    
 	make all
 	# --- end custom part for compiling
@@ -5,7 +5,7 @@ msgid &quot;&quot;
 msgstr ""
 "Project-Id-Version: pw3270 5.0\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2021-09-01 23:49-0300\n"
+"POT-Creation-Date: 2021-11-29 14:31-0300\n"
 "PO-Revision-Date: 2021-09-01 23:53-0300\n"
 "Last-Translator: Perry Werneck <perry.werneck@gmail.com>\n"
 "Language-Team: Português <perry.werneck@gmail.com>\n"
@@ -277,7 +277,7 @@ msgstr &quot;Erro ao inicializar LDAP&quot;
 msgid "Can't initialize the TLS/SSL context."
 msgstr "Erro ao inicializar contexto TLS/SSL"
-#: src/core/session.c:198
+#: src/core/session.c:205
 msgid "Can't load"
 msgstr "Não foi possível carregar"
@@ -285,7 +285,7 @@ msgstr &quot;Não foi possível carregar&quot;
 msgid "Can't open HTTP session"
 msgstr "Não foi possível abrir sessão HTTP"
-#: src/core/session.c:186
+#: src/core/session.c:193
 msgid "Can't print"
 msgstr "Não é possível imprimir"
@@ -293,7 +293,7 @@ msgstr &quot;Não é possível imprimir&quot;
 msgid "Can't read HTTP response size."
 msgstr "Não posso obter tamanho da resposta HTTP"
-#: src/core/session.c:192
+#: src/core/session.c:199
 msgid "Can't save"
 msgstr "Não é possível salvar"
@@ -512,8 +512,8 @@ msgstr &quot;Tipo de dispositivo rejeitado&quot;
 msgid "Disconnect from host"
 msgstr "Desconecta do servidor"
-#: src/core/ft/ft.c:244 src/network_modules/openssl/main.c:99
-#: src/network_modules/openssl/main.c:147
+#: src/core/ft/ft.c:244 src/network_modules/openssl/main.c:100
+#: src/network_modules/openssl/main.c:148
 msgid "Disconnected from host."
 msgstr "Desconectado do servidor."
@@ -593,12 +593,12 @@ msgstr &quot;Apagar campos&quot;
 msgid "Erro sending data to host"
 msgstr "Erro ao enviar dados para o servidor"
-#: src/core/ft/ft_dft.c:413 src/core/ft/ft_cut.c:408
+#: src/core/ft/ft_cut.c:408 src/core/ft/ft_dft.c:413
 #, c-format
 msgid "Error \"%s\" reading from local file (rc=%d)"
 msgstr "Erro \"%s\" lendo arquivo local (rc=%d)"
-#: src/core/ft/ft_dft.c:306 src/core/ft/ft_cut.c:504
+#: src/core/ft/ft_cut.c:504 src/core/ft/ft_dft.c:306
 #, c-format
 msgid "Error \"%s\" writing to local file (rc=%d)"
 msgstr "Erro \"%s\" gravando arquivo local (rc=%d)"
@@ -611,7 +611,7 @@ msgstr &quot;Erro na transferência do arquivo, transferência cancelada&quot;
 msgid "Error reading file from host: file transfer canceled"
 msgstr "Erro ao ler arquivo do host: Transferência cancelada"
-#: src/network_modules/openssl/main.c:169
+#: src/network_modules/openssl/main.c:170
 msgid "Error reading from host"
 msgstr "Erro lendo do servidor"
@@ -631,7 +631,7 @@ msgstr &quot;Erro ao ler ou gravar no host: Transferência cancelada&quot;
 msgid "Error writing file to host: file transfer canceled"
 msgstr "Erro ao gravar arquivo no host, transferência cancelada"
-#: src/network_modules/openssl/main.c:122
+#: src/network_modules/openssl/main.c:123
 msgid "Error writing to host."
 msgstr "Erro enviando para o servidor"
@@ -989,8 +989,8 @@ msgstr &quot;Move para o próximo campo desprotegido&quot;
 msgid "Move to the previous unprotected field on screen"
 msgstr "Move para o campo desprotegido anterior"
-#: src/core/telnet.c:304 src/core/windows/event_dispatcher.c:135
-#: src/core/windows/connect.c:223
+#: src/core/telnet.c:304 src/core/windows/connect.c:223
+#: src/core/windows/event_dispatcher.c:135
 msgid "Network error"
 msgstr "Erro de rede"
@@ -1500,8 +1500,8 @@ msgstr &quot;&quot;
 "A lista de revogação de certificados (CRL) de um certificado não pôde ser "
 "encontrada."
-#: src/network_modules/openssl/main.c:123
-#: src/network_modules/openssl/main.c:170
+#: src/network_modules/openssl/main.c:124
+#: src/network_modules/openssl/main.c:171
 #, c-format
 msgid "The SSL error message was %s"
 msgstr "A mensagem de erro SSL foi \"%s\""
@@ -1723,8 +1723,8 @@ msgstr &quot;&quot;
 "O Certificado raiz não está marcado como confiável para os fins "
 "especificados."
-#: src/network_modules/openssl/main.c:101
-#: src/network_modules/openssl/main.c:149
+#: src/network_modules/openssl/main.c:102
+#: src/network_modules/openssl/main.c:150
 msgid "The secure connection has been closed cleanly."
 msgstr "A conexão segura foi fechada corretamente"
@@ -1774,7 +1774,7 @@ msgstr &quot;O erro do sistema operacional foi \&quot;%s\&quot; (rc=%d)&quot;
 msgid "The system error was %s"
 msgstr "O erro do sistema operacional foi \"%s\""
-#: src/core/util.c:260
+#: src/core/util.c:264
 #, c-format
 msgid "The system error was '%s' (rc=%d)"
 msgstr "O erro do sistema foi \"%s\" (rc=%d)"
@@ -1857,8 +1857,8 @@ msgstr &quot;Mostrar posição do cursor&quot;
 msgid "Transfer cancelled by host"
 msgstr "Transferência cancelada pelo host"
-#: src/core/ft/ft_dft.c:213 src/core/ft/ft_dft.c:344 src/core/ft/ft_cut.c:387
-#: src/core/ft/ft_cut.c:475
+#: src/core/ft/ft_cut.c:387 src/core/ft/ft_cut.c:475 src/core/ft/ft_dft.c:213
+#: src/core/ft/ft_dft.c:344
 msgid "Transfer cancelled by user"
 msgstr "Transferência cancelada pelo usuário"
@@ -1915,7 +1915,7 @@ msgstr &quot;Não foi possível obter emissor do certificado&quot;
 msgid "Unable to get local issuer certificate"
 msgstr "Unable to get local issuer certificate"
-#: src/core/session.c:198
+#: src/core/session.c:205
 msgid "Unable to load from file"
 msgstr "Não foi possível ler do arquivo"
@@ -1927,11 +1927,11 @@ msgstr &quot;Incapaz de negociar uma conexão segura com o host&quot;
 msgid "Unable to paste text"
 msgstr "Incapaz de colar texto"
-#: src/core/session.c:186
+#: src/core/session.c:193
 msgid "Unable to print"
 msgstr "Incapaz de imprimir"
-#: src/core/session.c:192
+#: src/core/session.c:199
 msgid "Unable to save"
 msgstr "Incapaz de salvar"
@@ -10,11 +10,10 @@
 	</service>
 	<!-- https://github.com/openSUSE/obs-service-extract_file -->
-	
-    	<service name="extract_file">
+	<!-- service name="extract_file">
 		<param name="archive">*.tar</param>
 		<param name="files">*/rpm/lib3270.spec</param>
-	</service>
+	</service -->
 	<service name="extract_file">
 		<param name="archive">*.tar</param>
@@ -38,11 +37,11 @@
 		<param name="outfilename">debian.control</param>
 	</service>
-	<service name="extract_file">
+	<!-- service name="extract_file">
 		<param name="archive">*.tar</param>
 		<param name="files">*/debian/rules</param>
 		<param name="outfilename">debian.rules</param>
-	</service>
+	</service -->
 	<service name="extract_file">
 		<param name="archive">*.tar</param>
 #
 # spec file for package lib3270
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2022 SUSE LLC
 # Copyright (c) <2008> <Banco do Brasil S.A.>
 #
 # All modifications and additions to the file contributed by third parties
@@ -29,15 +29,15 @@ BuildRequires:  autoconf &gt;= 2.61
 BuildRequires:  automake
 BuildRequires:  binutils
 BuildRequires:  coreutils
-BuildRequires:	libtool
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  gettext-devel
+BuildRequires:  libtool
 BuildRequires:  m4
 BuildRequires:  pkgconfig
+BuildRequires:  xz
 BuildRequires:  pkgconfig(libcurl)
 BuildRequires:  pkgconfig(libssl)
-BuildRequires:  xz
 %if 0%{?centos_version}
 # CENTOS Requires gdb for debuginfo
@@ -54,8 +54,8 @@ For more details, see https://softwarepublico.gov.br/social/pw3270/ .
 %define _libvrs %{MAJOR_VERSION}_%{MINOR_VERSION}
 %package -n %{name}-%{_libvrs}
-Summary:    TN3270 Access library
-Group:      Development/Libraries/C and C++
+Summary:        TN3270 Access library
+Group:          Development/Libraries/C and C++
 %description -n %{name}-%{_libvrs}
 TN3270 access library, originally designed as part of the pw3270 application.
@@ -63,9 +63,9 @@ TN3270 access library, originally designed as part of the pw3270 application.
 For more details, see https://softwarepublico.gov.br/social/pw3270/ .
 %package devel
-Summary:    TN3270 Access library development files
-Requires:   %{name}-%{_libvrs} = %{version}
-Group:      Development/Libraries/C and C++
+Summary:        TN3270 Access library development files
+Requires:       %{name}-%{_libvrs} = %{version}
+Group:          Development/Libraries/C and C++
 %description devel
 Header files for the TN3270 access library.
@@ -193,6 +193,94 @@ SSL_CTX * lib3270_openssl_get_context(H3270 *hSession) {
 #endif // SSL_ENABLE_CRL_CHECK
+#ifdef _WIN32
+	{
+		// Load certs
+		// https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store
+		X509_STORE * store = SSL_CTX_get_cert_store(context);
+
+		lib3270_autoptr(char) certpath = lib3270_build_data_filename("certs","*.der",NULL);
+
+		trace_ssl(hSession,"Loading SSL certs from %s\n",certpath);
+
+		WIN32_FIND_DATA ffd;
+		HANDLE hFind = FindFirstFile(certpath, &ffd);
+
+		if(hFind == INVALID_HANDLE_VALUE)
+		{
+			static const LIB3270_SSL_MESSAGE message = {
+				.type = LIB3270_NOTIFY_SECURE,
+				.icon = "dialog-error",
+				.summary = N_( "Cant open custom certificate directory." ),
+			};
+
+			hSession->ssl.message = &message;
+
+			trace_ssl(hSession, _( "Can't open \"%s\" (The Windows error code was %ld)" ), certpath, (long) GetLastError());
+		}
+		else
+		{
+			do
+			{
+				char * filename = lib3270_build_data_filename("certs", ffd.cFileName, NULL);
+
+				debug("Loading \"%s\"",filename);
+
+				FILE *fp = fopen(filename,"r");
+				if(!fp) {
+
+					trace_ssl(hSession, _( "Can't open \"%s\": %s" ), filename, strerror(errno));
+
+				}
+				else
+				{
+					X509 * cert = d2i_X509_fp(fp, NULL);
+
+					if(!cert)
+					{
+						static const LIB3270_SSL_MESSAGE message = {
+							.type = LIB3270_NOTIFY_SECURE,
+							.icon = "dialog-error",
+							.summary = N_( "Cant read custom certificate file." ),
+						};
+
+						hSession->ssl.message = &message;
+						hSession->network.context->state.error = ERR_get_error();
+
+						trace_ssl(hSession, _( "Can't read \"%s\": %s" ), filename, ERR_lib_error_string(hSession->ssl.error));
+					}
+					else
+					{
+
+						if(X509_STORE_add_cert(store, cert) != 1)
+						{
+							static const LIB3270_SSL_MESSAGE message = {
+								.type = LIB3270_NOTIFY_SECURE,
+								.icon = "dialog-error",
+								.summary = N_( "Cant load custom certificate file." ),
+							};
+
+							hSession->ssl.message = &message;
+							hSession->network.context->state.error = ERR_get_error();
+
+							trace_ssl(hSession, _( "Can't load \"%s\": %s" ), filename, ERR_lib_error_string(hSession->ssl.error));
+						}
+
+						X509_free(cert);
+					}
+
+					fclose(fp);
+				}
+
+				lib3270_free(filename);
+
+			}
+			while (FindNextFile(hFind, &ffd) != 0);
+
+		}
+	}
+#endif // _WIN32
+
 	return context;
 }
@@ -46,6 +46,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_OK,
 			.message = {
+				.name = "X509_V_OK",
 				.type = LIB3270_NOTIFY_INFO,
 				.icon = "security-high",
 				.summary = N_( "Secure connection was successful." ),
@@ -56,6 +57,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to get issuer certificate" ),
@@ -66,12 +68,12 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_GET_CRL,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_GET_CRL",
 #ifdef SSL_ENABLE_CRL_CHECK
 				.type = LIB3270_NOTIFY_SECURE,
 #else
 				.type = LIB3270_NOTIFY_INFO,
 #endif // SSL_ENABLE_CRL_CHECK
-				.name = "X509UnableToGetCRL",
 				.icon = "security-low",
 				.summary = N_( "Unable to get certificate CRL." ),
 				.body = N_( "The Certificate revocation list (CRL) of a certificate could not be found." ),
@@ -82,6 +84,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to decrypt certificate's signature" ),
@@ -92,6 +95,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to decrypt CRL's signature" ),
@@ -102,6 +106,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unable to decode issuer public key" ),
@@ -112,6 +117,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_SIGNATURE_FAILURE,
 			.message = {
+				.name = "X509_V_ERR_CERT_SIGNATURE_FAILURE",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Certificate signature failure" ),
@@ -122,6 +128,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CRL_SIGNATURE_FAILURE,
 			.message = {
+				.name = "X509_V_ERR_CRL_SIGNATURE_FAILURE",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "CRL signature failure" ),
@@ -132,6 +139,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_NOT_YET_VALID,
 			.message = {
+				.name = "X509_V_ERR_CERT_NOT_YET_VALID",
 				.type = LIB3270_NOTIFY_WARNING,
 				.icon = "security-medium",
 				.summary = N_( "Certificate is not yet valid" ),
@@ -142,6 +150,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_HAS_EXPIRED,
 			.message = {
+				.name = "X509_V_ERR_CERT_HAS_EXPIRED",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-medium",
 				.summary = N_( "Certificate has expired" ),
@@ -152,6 +161,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CRL_NOT_YET_VALID,
 			.message = {
+				.name = "X509_V_ERR_CRL_NOT_YET_VALID",
 				.type = LIB3270_NOTIFY_WARNING,
 				.icon = "security-medium",
 				.summary = N_( "The CRL is not yet valid." ),
@@ -162,6 +172,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CRL_HAS_EXPIRED,
 			.message = {
+				.name = "X509_V_ERR_CRL_HAS_EXPIRED",
 #ifdef SSL_ENABLE_CRL_EXPIRATION_CHECK
 				.type = LIB3270_NOTIFY_SECURE,
 #else
@@ -176,6 +187,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
 			.message = {
+				.name = "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in certificate's notBefore field" ),
@@ -186,6 +198,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
 			.message = {
+				.name = "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in certificate's notAfter field" ),
@@ -196,6 +209,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
 			.message = {
+				.name = "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in CRL's lastUpdate field" ),
@@ -206,6 +220,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
 			.message = {
+				.name = "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Format error in CRL's nextUpdate field" ),
@@ -216,6 +231,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_OUT_OF_MEM,
 			.message = {
+				.name = "X509_V_ERR_OUT_OF_MEM",
 				.type = LIB3270_NOTIFY_ERROR,
 				.icon = "dialog-error",
 				.summary = N_( "Out of memory" ),
@@ -226,14 +242,14 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
 			.message = {
+				.name = "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT",
 #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
-				.type = LIB3270_NOTIFY_SECURE,
-#else
 				.type = LIB3270_NOTIFY_WARNING,
+#else
+				.type = LIB3270_NOTIFY_SECURE,
 #endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK
 				.icon = "security-medium",
 				.summary = N_( "Self signed certificate" ),
-				.name = "X509DepthZeroSelfSignedCert",
 				.label = N_( "Continue" ),
 				.body = N_( "The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates." )
 			}
@@ -242,12 +258,12 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
 			.message = {
+				.name = "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN",
 #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
-				.type = LIB3270_NOTIFY_SECURE,
-#else
 				.type = LIB3270_NOTIFY_INFO,
+#else
+				.type = LIB3270_NOTIFY_SECURE,
 #endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK
-				.name = "SelfSignedCertInChain",
 				.icon = "security-low",
 				.label = N_("Continue"),
 				.summary = N_( "Self signed certificate in certificate chain" ),
@@ -258,6 +274,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
 				.type = LIB3270_NOTIFY_WARNING,
 				.icon = "security-low",
 				.summary = N_( "Unable to get local issuer certificate" ),
@@ -268,6 +285,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
 			.message = {
+				.name = "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Unable to verify the first certificate" ),
@@ -278,6 +296,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_REVOKED,
 			.message = {
+				.name = "X509_V_ERR_CERT_REVOKED",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Certificate revoked" ),
@@ -288,6 +307,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_INVALID_CA,
 			.message = {
+				.name = "X509_V_ERR_INVALID_CA",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Invalid CA certificate" ),
@@ -298,6 +318,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_PATH_LENGTH_EXCEEDED,
 			.message = {
+				.name = "X509_V_ERR_PATH_LENGTH_EXCEEDED",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Path length constraint exceeded" ),
@@ -308,6 +329,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_INVALID_PURPOSE,
 			.message = {
+				.name = "X509_V_ERR_INVALID_PURPOSE",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Unsupported certificate purpose" ),
@@ -318,6 +340,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_UNTRUSTED,
 			.message = {
+				.name = "X509_V_ERR_CERT_UNTRUSTED",
 				.type = LIB3270_NOTIFY_WARNING,
 				.icon = "security-low",
 				.summary = N_( "Certificate not trusted" ),
@@ -328,6 +351,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_CERT_REJECTED,
 			.message = {
+				.name = "X509_V_ERR_CERT_REJECTED",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Certificate rejected" ),
@@ -338,6 +362,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
 			.message = {
+				.name = "X509_V_ERR_SUBJECT_ISSUER_MISMATCH",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "security-low",
 				.summary = N_( "Subject issuer mismatch" ),
@@ -348,6 +373,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_AKID_SKID_MISMATCH,
 			.message = {
+				.name = "X509_V_ERR_AKID_SKID_MISMATCH",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Authority and subject key identifier mismatch" ),
@@ -358,6 +384,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
 			.message = {
+				.name = "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Authority and issuer serial number mismatch" ),
@@ -368,6 +395,7 @@ const LIB3270_SSL_MESSAGE * lib3270_openssl_message_from_id(long id) {
 		{
 			.id = X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
 			.message = {
+				.name = "X509_V_ERR_KEYUSAGE_NO_CERTSIGN",
 				.type = LIB3270_NOTIFY_SECURE,
 				.icon = "dialog-error",
 				.summary = N_( "Key usage does not include certificate signing" ),
@@ -88,12 +88,8 @@ LIB3270_EXPORT const char * lib3270_get_ssl_state_icon_name(const H3270 *hSessio
 LIB3270_EXPORT const char * lib3270_get_ssl_state_description(const H3270 *hSession) {
-	if(hSession->ssl.message) {
-
-		if(hSession->ssl.message->body)
-			return dgettext(GETTEXT_PACKAGE,hSession->ssl.message->body);
-
-		return "";
+	if(hSession->ssl.message && hSession->ssl.message->body) {
+		return dgettext(GETTEXT_PACKAGE,hSession->ssl.message->body);
 	}
 	return "";
@@ -78,7 +78,7 @@ int main(int argc, char *argv[]) {
 	{
 		lib3270_autoptr(char) testfilename = lib3270_build_data_filename("test",NULL);
 		printf("\n\nFilename: '%s'\n\n", testfilename);
-		return 0;
+//		return 0;
 	}
 //	#pragma GCC diagnostic push
	@@ -389,11 +389,11 @@ dnl SSL Security options		@@ -389,11 +389,11 @@ dnl SSL Security options
389	dnl ---------------------------------------------------------------------------	389	dnl ---------------------------------------------------------------------------
390		390
391	AC_ARG_ENABLE([self-signed-cert-check],	391	AC_ARG_ENABLE([self-signed-cert-check],
392	- [AS_HELP_STRING([--enable-self-signed-cert-check], [Reject SSL connection when host presents a self signed certificate])],	392	+ [AS_HELP_STRING([--enable-self-signed-cert-check], [Emit Warning when host presents a self signed certificate])],
393	[	393	[
394	app_cv_self_signed_certs="$enableval"	394	app_cv_self_signed_certs="$enableval"
395	],[	395	],[
396	- app_cv_self_signed_certs="no"	396	+ app_cv_self_signed_certs="yes"
397	])	397	])
398		398
399	if test "$app_cv_self_signed_certs" == "yes"; then	399	if test "$app_cv_self_signed_certs" == "yes"; then
	@@ -518,7 +518,7 @@ AC_ARG_WITH([sdk-version], [AS_HELP_STRING([--with-sdk-version], [Setup library		@@ -518,7 +518,7 @@ AC_ARG_WITH([sdk-version], [AS_HELP_STRING([--with-sdk-version], [Setup library
518	AC_DEFINE(LIB3270_SDK_VERSION,$app_cv_sdkversion,[The SDK version number])	518	AC_DEFINE(LIB3270_SDK_VERSION,$app_cv_sdkversion,[The SDK version number])
519	AC_SUBST(LIB3270_SDK_VERSION,$app_cv_sdkversion)	519	AC_SUBST(LIB3270_SDK_VERSION,$app_cv_sdkversion)
520		520
521	-AC_ARG_WITH([default-host], [AS_HELP_STRING([--with-default-host], [Set lib3270 default host url])],	521	+AC_ARG_WITH([default-host], [AS_HELP_STRING([--with-default-host], [Set lib3270 default host url])],
522	[ app_default_host="\"$withval\""],	522	[ app_default_host="\"$withval\""],
523	[ app_default_host=""])	523	[ app_default_host=""])
524		524
	@@ -650,7 +650,7 @@ case "$host" in		@@ -650,7 +650,7 @@ case "$host" in
650		650
651	-apple-darwin)	651	-apple-darwin)
652	AC_PATH_TOOL([CURLCONFIG], [curl-config], [no])	652	AC_PATH_TOOL([CURLCONFIG], [curl-config], [no])
653	-	653	+
654	if test x$CURLCONFIG = xno; then	654	if test x$CURLCONFIG = xno; then
655	AC_MSG_NOTICE([Building without CURL support])	655	AC_MSG_NOTICE([Building without CURL support])
656	AC_SUBST(LIBCURL_CFLAGS)	656	AC_SUBST(LIBCURL_CFLAGS)
	@@ -662,13 +662,13 @@ case "$host" in		@@ -662,13 +662,13 @@ case "$host" in
662	AC_SUBST(LIBCURL_LIBS,"$($CURLCONFIG --libs)")	662	AC_SUBST(LIBCURL_LIBS,"$($CURLCONFIG --libs)")
663	fi	663	fi
664	;;	664	;;
665	-	665	+
666	*)	666	*)
667	PKG_CHECK_MODULES( [LIBCURL], [libcurl], AC_DEFINE(HAVE_LIBCURL,[],[Do we have libcurl?]), AC_MSG_ERROR([libcurl not present.]) )	667	PKG_CHECK_MODULES( [LIBCURL], [libcurl], AC_DEFINE(HAVE_LIBCURL,[],[Do we have libcurl?]), AC_MSG_ERROR([libcurl not present.]) )
668	AC_SUBST(LIBCURL_CFLAGS)	668	AC_SUBST(LIBCURL_CFLAGS)
669	AC_SUBST(LIBCURL_LIBS)	669	AC_SUBST(LIBCURL_LIBS)
670	;;	670	;;
671	-	671	+
672	esac	672	esac
673		673
674	dnl ---------------------------------------------------------------------------	674	dnl ---------------------------------------------------------------------------
	@@ -193,6 +193,94 @@ SSL_CTX * lib3270_openssl_get_context(H3270 *hSession) {		@@ -193,6 +193,94 @@ SSL_CTX * lib3270_openssl_get_context(H3270 *hSession) {
193		193
194	#endif // SSL_ENABLE_CRL_CHECK	194	#endif // SSL_ENABLE_CRL_CHECK
195		195
		196	+#ifdef _WIN32
		197	+ {
		198	+ // Load certs
		199	+ // https://stackoverflow.com/questions/9507184/can-openssl-on-windows-use-the-system-certificate-store
		200	+ X509_STORE * store = SSL_CTX_get_cert_store(context);
		201	+
		202	+ lib3270_autoptr(char) certpath = lib3270_build_data_filename("certs","*.der",NULL);
		203	+
		204	+ trace_ssl(hSession,"Loading SSL certs from %s\n",certpath);
		205	+
		206	+ WIN32_FIND_DATA ffd;
		207	+ HANDLE hFind = FindFirstFile(certpath, &ffd);
		208	+
		209	+ if(hFind == INVALID_HANDLE_VALUE)
		210	+ {
		211	+ static const LIB3270_SSL_MESSAGE message = {
		212	+ .type = LIB3270_NOTIFY_SECURE,
		213	+ .icon = "dialog-error",
		214	+ .summary = N_( "Cant open custom certificate directory." ),
		215	+ };
		216	+
		217	+ hSession->ssl.message = &message;
		218	+
		219	+ trace_ssl(hSession, _( "Can't open \"%s\" (The Windows error code was %ld)" ), certpath, (long) GetLastError());
		220	+ }
		221	+ else
		222	+ {
		223	+ do
		224	+ {
		225	+ char * filename = lib3270_build_data_filename("certs", ffd.cFileName, NULL);
		226	+
		227	+ debug("Loading \"%s\"",filename);
		228	+
		229	+ FILE *fp = fopen(filename,"r");
		230	+ if(!fp) {
		231	+
		232	+ trace_ssl(hSession, _( "Can't open \"%s\": %s" ), filename, strerror(errno));
		233	+
		234	+ }
		235	+ else
		236	+ {
		237	+ X509 * cert = d2i_X509_fp(fp, NULL);
		238	+
		239	+ if(!cert)
		240	+ {
		241	+ static const LIB3270_SSL_MESSAGE message = {
		242	+ .type = LIB3270_NOTIFY_SECURE,
		243	+ .icon = "dialog-error",
		244	+ .summary = N_( "Cant read custom certificate file." ),
		245	+ };
		246	+
		247	+ hSession->ssl.message = &message;
		248	+ hSession->network.context->state.error = ERR_get_error();
		249	+
		250	+ trace_ssl(hSession, _( "Can't read \"%s\": %s" ), filename, ERR_lib_error_string(hSession->ssl.error));
		251	+ }
		252	+ else
		253	+ {
		254	+
		255	+ if(X509_STORE_add_cert(store, cert) != 1)
		256	+ {
		257	+ static const LIB3270_SSL_MESSAGE message = {
		258	+ .type = LIB3270_NOTIFY_SECURE,
		259	+ .icon = "dialog-error",
		260	+ .summary = N_( "Cant load custom certificate file." ),
		261	+ };
		262	+
		263	+ hSession->ssl.message = &message;
		264	+ hSession->network.context->state.error = ERR_get_error();
		265	+
		266	+ trace_ssl(hSession, _( "Can't load \"%s\": %s" ), filename, ERR_lib_error_string(hSession->ssl.error));
		267	+ }
		268	+
		269	+ X509_free(cert);
		270	+ }
		271	+
		272	+ fclose(fp);
		273	+ }
		274	+
		275	+ lib3270_free(filename);
		276	+
		277	+ }
		278	+ while (FindNextFile(hFind, &ffd) != 0);
		279	+
		280	+ }
		281	+ }
		282	+#endif // _WIN32
		283	+
196	return context;	284	return context;
197		285
198	}	286	}
	@@ -78,7 +78,7 @@ int main(int argc, char *argv[]) {		@@ -78,7 +78,7 @@ int main(int argc, char *argv[]) {
78	{	78	{
79	lib3270_autoptr(char) testfilename = lib3270_build_data_filename("test",NULL);	79	lib3270_autoptr(char) testfilename = lib3270_build_data_filename("test",NULL);
80	printf("\n\nFilename: '%s'\n\n", testfilename);	80	printf("\n\nFilename: '%s'\n\n", testfilename);
81	- return 0;	81	+// return 0;
82	}	82	}
83		83
84	// #pragma GCC diagnostic push	84	// #pragma GCC diagnostic push