5 files changed, 61 insertions, 0 deletions

diff --git a/src/command/command.c b/src/command/command.c
index c571cffb..e75757bb 100644
--- a/src/command/command.c
+++ b/src/command/command.c
@@ -206,6 +206,7 @@ static struct cmd_t command_defs[] =
             "/tls allow",
             "/tls always",
             "/tls deny",
+            "/tls cert",
             "/tls trusted",
             "/tls revoke <fingerprint>",
             "/tls certpath",
@@ -218,6 +219,7 @@ static struct cmd_t command_defs[] =
             { "allow",                "Allow connection to continue with an invalid TLS certificate." },
             { "always",               "Always allow connections with this invalid TLS certificate." },
             { "deny",                 "Terminate TLS connection." },
+            { "cert",                 "Show the current TLS certificate." },
             { "trusted",              "List manually trusted certificates (with /tls always)." },
             { "revoke <fingerprint>", "Remove a manually trusted certificate." },
             { "certpath",             "Show the trusted certificate path." },
@@ -2220,6 +2222,7 @@ cmd_init(void)
     autocomplete_add(tls_ac, "allow");
     autocomplete_add(tls_ac, "always");
     autocomplete_add(tls_ac, "deny");
+    autocomplete_add(tls_ac, "cert");
     autocomplete_add(tls_ac, "trusted");
     autocomplete_add(tls_ac, "revoke");
     autocomplete_add(tls_ac, "certpath");
diff --git a/src/command/commands.c b/src/command/commands.c
index cf7290ad..d48fbe6d 100644
--- a/src/command/commands.c
+++ b/src/command/commands.c
@@ -159,6 +159,7 @@ gboolean
 cmd_tls(ProfWin *window, const char *const command, gchar **args)
 {
     if (g_strcmp0(args[0], "certpath") == 0) {
+#ifdef HAVE_LIBMESODE
         if (g_strcmp0(args[1], "set") == 0) {
             if (args[2] == NULL) {
                 cons_bad_cmd_usage(command);
@@ -189,7 +190,12 @@ cmd_tls(ProfWin *window, const char *const command, gchar **args)
             cons_bad_cmd_usage(command);
             return TRUE;
         }
+#else
+        cons_show("Certificate path setting only supported when built with libmesode.");
+        return TRUE;
+#endif
     } else if (g_strcmp0(args[0], "trusted") == 0) {
+#ifdef HAVE_LIBMESODE
         GList *certs = tlscerts_list();
         GList *curr = certs;
 
@@ -224,7 +230,12 @@ cmd_tls(ProfWin *window, const char *const command, gchar **args)
         }
         g_list_free_full(certs, (GDestroyNotify)tlscerts_free);
         return TRUE;
+#else
+        cons_show("Manual certificate trust only supported when built with libmesode.");
+        return TRUE;
+#endif
     } else if (g_strcmp0(args[0], "revoke") == 0) {
+#ifdef HAVE_LIBMESODE
         if (args[1] == NULL) {
             cons_bad_cmd_usage(command);
         } else {
@@ -236,8 +247,34 @@ cmd_tls(ProfWin *window, const char *const command, gchar **args)
             }
         }
         return TRUE;
+#else
+        cons_show("Manual certificate trust only supported when built with libmesode.");
+        return TRUE;
+#endif
     } else if (g_strcmp0(args[0], "show") == 0) {
         return _cmd_set_boolean_preference(args[1], command, "TLS titlebar indicator", PREF_TLS_SHOW);
+    } else if (g_strcmp0(args[0], "cert") == 0) {
+#ifdef HAVE_LIBMESODE
+        jabber_conn_status_t conn_status = jabber_get_connection_status();
+        if (conn_status != JABBER_CONNECTED) {
+            cons_show("You are not currently connected.");
+            return TRUE;
+        }
+        if (!jabber_conn_is_secured()) {
+            cons_show("No TLS connection established");
+            return TRUE;
+        }
+        char *cert = jabber_get_tls_peer_cert();
+        if (cert) {
+            cons_show("TLS certificate fingerprint: %s", cert);
+        } else {
+            cons_show("Error getting TLS fingerprint.");
+        }
+        return TRUE;
+#else
+        cons_show("Certificate fetching not supported.");
+        return TRUE;
+#endif
     } else {
         cons_bad_cmd_usage(command);
         return TRUE;
diff --git a/src/event/server_events.c b/src/event/server_events.c
index 032c8d16..2663eb09 100644
--- a/src/event/server_events.c
+++ b/src/event/server_events.c
@@ -119,6 +119,7 @@ sv_ev_failed_login(void)
 {
     cons_show_error("Login failed.");
     log_info("Login failed");
+    tlscerts_clear_current();
 }
 
 void
diff --git a/src/xmpp/connection.c b/src/xmpp/connection.c
index 27711a4c..2986b0bc 100644
--- a/src/xmpp/connection.c
+++ b/src/xmpp/connection.c
@@ -392,8 +392,24 @@ _connection_certfail_cb(const char *const certname, const char *const certfp,
 {
     return sv_ev_certfail(errormsg, certname, certfp, notbefore, notafter);
 }
+
+char*
+jabber_get_tls_peer_cert(void)
+{
+    return xmpp_conn_tls_peer_cert(jabber_conn.conn);
+}
 #endif
 
+gboolean
+jabber_conn_is_secured(void)
+{
+    if (jabber_conn.conn_status == JABBER_CONNECTED) {
+        return xmpp_conn_is_secured(jabber_conn.conn) == 0 ? FALSE : TRUE;
+    } else {
+        return FALSE;
+    }
+}
+
 static jabber_conn_status_t
 _jabber_connect(const char *const fulljid, const char *const passwd,
     const char *const altdomain, int port, const char *const tls_policy)
diff --git a/src/xmpp/xmpp.h b/src/xmpp/xmpp.h
index d49b106d..00f83d3f 100644
--- a/src/xmpp/xmpp.h
+++ b/src/xmpp/xmpp.h
@@ -152,6 +152,10 @@ char* jabber_get_account_name(void);
 GList* jabber_get_available_resources(void);
 char* jabber_create_uuid(void);
 void jabber_free_uuid(char *uuid);
+#ifdef HAVE_LIBMESODE
+char* jabber_get_tls_peer_cert(void);
+#endif
+gboolean jabber_conn_is_secured(void);
 
 // message functions
 char* message_send_chat(const char *const barejid, const char *const msg);