From fbd474cd8ff84bd1eb48d663a8c4eeabdcf68a9f Mon Sep 17 00:00:00 2001
From: kidburglar <kidburglar@users.noreply.github.com>
Date: Sun, 17 May 2020 13:03:39 +0200
Subject: [PATCH] Add error message if SAN doesn't match hostname (#253)

* Add error message if SAN doesn't match hostname

* Add a better message for the error startTLS-server-certificate-invalid-DNS-ID and add the strings to the other languages
---
 syncplay/messages_de.py | 1 +
 syncplay/messages_en.py | 1 +
 syncplay/messages_es.py | 1 +
 syncplay/messages_it.py | 1 +
 syncplay/messages_ru.py | 1 +
 syncplay/protocols.py   | 2 ++
 6 files changed, 7 insertions(+)

diff --git a/syncplay/messages_de.py b/syncplay/messages_de.py
index eb3a810..62e5898 100755
--- a/syncplay/messages_de.py
+++ b/syncplay/messages_de.py
@@ -325,6 +325,7 @@ de = {
     "startTLS-initiated": "Sichere Verbindung wird versucht",
     "startTLS-secure-connection-ok": "Sichere Verbindung hergestellt ({})",
     "startTLS-server-certificate-invalid": 'Sichere Verbindung fehlgeschlagen. Der Server benutzt ein ungültiges Sicherheitszertifikat. Der Kanal könnte von Dritten abgehört werden. Für weitere Details und Problemlösung siehe <a href="https://syncplay.pl/trouble">hier</a> [Englisch].',
+    "startTLS-server-certificate-invalid-DNS-ID": "Syncplay does not trust this server because it uses a certificate that is not valid for its hostname.", # TODO: Translate
     "startTLS-not-supported-client": "Dieser Server unterstützt kein TLS",
     "startTLS-not-supported-server": "Dieser Server unterstützt kein TLS",
 
diff --git a/syncplay/messages_en.py b/syncplay/messages_en.py
index 7589321..9e1557b 100755
--- a/syncplay/messages_en.py
+++ b/syncplay/messages_en.py
@@ -326,6 +326,7 @@ en = {
     "startTLS-initiated": "Attempting secure connection",
     "startTLS-secure-connection-ok": "Secure connection established ({})",
     "startTLS-server-certificate-invalid": 'Secure connection failed. The server uses an invalid security certificate. This communication could be intercepted by a third party. For further details and troubleshooting see <a href="https://syncplay.pl/trouble">here</a>.',
+    "startTLS-server-certificate-invalid-DNS-ID": "Syncplay does not trust this server because it uses a certificate that is not valid for its hostname.",
     "startTLS-not-supported-client": "This client does not support TLS",
     "startTLS-not-supported-server": "This server does not support TLS",
 
diff --git a/syncplay/messages_es.py b/syncplay/messages_es.py
index 33ede9b..b998f3c 100644
--- a/syncplay/messages_es.py
+++ b/syncplay/messages_es.py
@@ -326,6 +326,7 @@ es = {
     "startTLS-initiated": "Intentando conexión segura",
     "startTLS-secure-connection-ok": "Conexión segura establecida ({})",
     "startTLS-server-certificate-invalid": 'Falló la conexión segura. El servidor utiliza un certificado inválido. Esta comunicación podría ser interceptada por un tercero. Para más detalles y solución de problemas, consulta <a href="https://syncplay.pl/trouble">aquí</a>.',
+    "startTLS-server-certificate-invalid-DNS-ID": "Syncplay does not trust this server because it uses a certificate that is not valid for its hostname.", # TODO: Translate
     "startTLS-not-supported-client": "Este cliente no soporta TLS",
     "startTLS-not-supported-server": "Este servidor no soporta TLS",
 
diff --git a/syncplay/messages_it.py b/syncplay/messages_it.py
index a03dfaa..b0ea6cd 100755
--- a/syncplay/messages_it.py
+++ b/syncplay/messages_it.py
@@ -326,6 +326,7 @@ it = {
     "startTLS-initiated": "Tentativo di connessione sicura in corso",
     "startTLS-secure-connection-ok": "Connessione sicura stabilita ({})",
     "startTLS-server-certificate-invalid": 'Connessione sicura non riuscita. Il certificato di sicurezza di questo server non è valido. La comunicazione potrebbe essere intercettata da una terza parte. Per ulteriori dettagli e informazioni sulla risoluzione del problema, clicca <a href="https://syncplay.pl/trouble">qui</a>.',
+    "startTLS-server-certificate-invalid-DNS-ID": "Syncplay does not trust this server because it uses a certificate that is not valid for its hostname.", # TODO: Translate
     "startTLS-not-supported-client": "Questo client non supporta TLS",
     "startTLS-not-supported-server": "Questo server non supporta TLS",
 
diff --git a/syncplay/messages_ru.py b/syncplay/messages_ru.py
index 3f40b97..26efbb8 100755
--- a/syncplay/messages_ru.py
+++ b/syncplay/messages_ru.py
@@ -329,6 +329,7 @@ ru = {
     "startTLS-initiated": "Attempting secure connection",
     "startTLS-secure-connection-ok": "Secure connection established ({})",
     "startTLS-server-certificate-invalid": 'Secure connection failed. The server uses an invalid security certificate. This communication could be intercepted by a third party. For further details and troubleshooting see <a href="https://syncplay.pl/trouble">here</a>.',
+    "startTLS-server-certificate-invalid-DNS-ID": "Syncplay does not trust this server because it uses a certificate that is not valid for its hostname.",
     "startTLS-not-supported-client": "This client does not support TLS",
     "startTLS-not-supported-server": "This server does not support TLS",
 
diff --git a/syncplay/protocols.py b/syncplay/protocols.py
index 3bf0902..d13d07f 100755
--- a/syncplay/protocols.py
+++ b/syncplay/protocols.py
@@ -99,6 +99,8 @@ class SyncClientProtocol(JSONCommandProtocol):
                 self._client._clientSupportsTLS = False
             elif "certificate verify failed" in str(reason.value):
                 self.dropWithError(getMessage("startTLS-server-certificate-invalid"))
+            elif "mismatched_id=DNS_ID" in str(reason.value):
+                self.dropWithError(getMessage("startTLS-server-certificate-invalid-DNS-ID"))
         except:
             pass
         self._client.destroyProtocol()