meaningful forward secrecy info

world/default/de/plain.textdb

@@ -8,10 +8,10 @@ _status_circuit_encryption_cipher
 |Gratuliere! Deine Verbindung ist mit Folgenlosigkeit verschlüsselt.
 
 _warning_circuit_encryption_cipher
-|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt.
+|Deine Verbindung ist leider ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
 
 _error_circuit_encryption_cipher
-|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt.
+|Deine Verbindung ist ohne Folgenlosigkeit verschlüsselt ([_circuit_encryption_cipher]).
 
 _failure_disabled_function_register
 |Registrierung ist auf diesem Server deaktiviert.

world/default/en/jabber.textdb

@@ -158,6 +158,9 @@ _failure_unsupported_function_whisper
 _failure_filter_strangers
 |<message to='[_INTERNAL_target_jabber]' from='[_INTERNAL_source_jabber]' type='error'><body>{_failure_unsupported_function_whisper}</body><error code='503' type='cancel'><service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>{_failure_filter_strangers}</text></error></message>
 
+_failure_unsuccessful_delivery_timeout_dialback
+|## happens so frequently it is mostly just annoying
+
 _notice_received_email_UNUSED
 |<message from='[_INTERNAL_source_jabber]' to='[_INTERNAL_target_jabber]' type='headline'><body>{_notice_received_email}</body></message>
 

world/default/en/plain.textdb

@@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
 |Congratulations. Your connection is encrypted with forward secrecy.
 
 _warning_circuit_encryption_cipher
-|Your cipher choice does not provide forward secrecy.
+|Your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
 
 _error_circuit_encryption_cipher
-|Unfortunately your cipher choice does not provide forward secrecy.
+|Unfortunately your cipher choice does not provide forward secrecy ([_circuit_encryption_cipher]).
 
 _failure_disabled_function_register
 |Registration disabled on this server.

world/default/it/plain.textdb

@@ -5,10 +5,10 @@ _status_circuit_encryption_cipher
 |Muy bueno! La tua connessione è crittata senza conseguenze.
 
 _warning_circuit_encryption_cipher
-|La tua connessione non è crittata senza conseguenze.
+|La tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
 
 _error_circuit_encryption_cipher
-|Purtroppo la tua connessione non è crittata senza conseguenze.
+|Purtroppo la tua connessione non è crittata senza conseguenze ([_circuit_encryption_cipher]).
 
 _failure_disabled_function_register
 |Registrazione di nuovi utenti disabilitata su questo server.

world/net/library/tls.c

@@ -168,19 +168,19 @@ int tls_check_service_identity(string name, mixed cert, string scheme) {
     return 0;
 }
 
-int tls_check_cipher(object sock, string scheme) {
-    string t;
-    mixed m = tls_query_connection_info(sock);
-
-    P3(("%O is using the %O cipher.\n", sock, m[TLS_CIPHER]))
+string tls_bad_cipher(object sock, string scheme) {
+    // we can't expect that degree of privacy from jabber, for now
+    //if (scheme == "xmpp") return 0;
+    mixed t = tls_query_connection_info(sock);
+    unless (t) return "NO-CIPHER";  // shouldnt happen
+    t = t[TLS_CIPHER];
+    P3(("%O is using the %O cipher.\n", sock, t))
     // shouldn't our negotiation have ensured we have PFS?
-
-    if (stringp(t = m[TLS_CIPHER]) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
+    if (stringp(t) &&! (abbrev("DHE", t) || abbrev("ECDHE", t))) {
 	monitor_report("_warning_circuit_encryption_cipher_details",
 	    object_name(sock) +" · using "+ t +" cipher");
-	// we can't expect that degree of privacy from jabber, for now
-	if (scheme != "xmpp") return 0;
+	return t;
     }
-    return 1;
+    return 0;
 }
 

world/net/psyc/circuit.c

@@ -210,10 +210,14 @@ int logon(int neverfails) {
 #ifdef __TLS__
 	sAuthHosts(([ ])); // reset authhosts 
 	if (tls_available() && tls_query_connection_state(ME) == 1) {
-	    unless (tls_check_cipher(ME, "psyc")) {
+	    if (t = tls_bad_cipher(ME, "psyc")) {
 		croak("_error_circuit_encryption_cipher",
-		  "Your cipher choice does not provide forward secrecy.");
+		  "Your cipher choice does not provide forward secrecy.",
+		    ([ "_circuit_encryption_cipher": t ]));
 		QUIT
+            }
+        }
+
 	    }
 	    if (mappingp(cert = tls_certificate(ME, 0))) {
 		if (cert[0] != 0) {

world/net/spyc/circuit.c

@@ -102,10 +102,12 @@ void sender_verification(string sourcehost, mixed targethost)
 
 // gets called during socket logon
 int logon(int failure) {
+    string t;
     sAuthHosts(([ ])); // reset authhosts 
     legal_senders = ([ ]);
     instate = ([ "_INTERNAL_origin" : ME ]);
     outstate = ([ ]);
+
 #ifdef __TLS__
     P0(("circuit logon %O %O\n", tls_available(), tls_query_connection_state(ME)))
     // FIXME: needs to handle the not-detected case
@@ -117,16 +119,15 @@ int logon(int failure) {
 	    } else if (tls_query_connection_state(ME) == 1) {
 		    certinfo = tls_certificate(ME, 0);
 		    P0(("certinfo: %O\n", certinfo))
-		    unless (tls_check_cipher(ME, "psyc")) {
+		    if (t = tls_bad_cipher(ME, "psyc")) {
 			    croak("_error_circuit_encryption_cipher",
-	      "Your cipher choice does not provide forward secrecy.");
+		      "Your cipher choice does not provide forward secrecy.",
+				([ "_circuit_encryption_cipher": t ]));
 			    //destruct(ME);
-		    }
-
+		    }   
 	    }
     }
 #endif
-
     peerip = query_ip_number(ME) || "127.0.0.1";
 
     input_to(#'feed, INPUT_IGNORE_BANG);

world/net/user.c

@@ -1569,13 +1569,15 @@ logon() {
 		// deteriorate differently?
 	}
 #ifdef __TLS__
+	string evil;
+
 	if (tls_query_connection_state(ME) == 1) {
-	    if (tls_check_cipher(ME, t)) {
-                unless (beQuiet) w("_status_circuit_encryption_cipher");
-	    } else {
+	    if (evil = tls_bad_cipher(ME, t)) {
 		// i bet jabber users will love this
-                w("_warning_circuit_encryption_cipher");
+                w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
 		//return remove_interactive(ME);
+	    } else {
+                unless (beQuiet) w("_status_circuit_encryption_cipher");
 	    }
 	}
 #endif