Merge pull request #11704 from akallabeth/cert-ignore-warn

[crypto,tls] pring big warning for /cert:ignore

channels/drdynvc/client/drdynvc_main.c

@@ -433,12 +433,9 @@ static void check_open_close_receive(DVCMAN_CHANNEL* channel)
 	const UINT32 id = channel->channel_id;
 
 	WINPR_ASSERT(cb);
-	if (cb->OnOpen || cb->OnClose)
+	if (!cb->OnOpen || !cb->OnClose || !cb->OnDataReceived)
-	{
+		WLog_VRB(TAG, "{%s:%" PRIu32 "} OnOpen=%p, OnClose=%p, OnDataReceived=%p", name, id,
-		if (!cb->OnOpen || !cb->OnClose)
+		         cb->OnOpen, cb->OnClose, cb->OnDataReceived);
-			WLog_WARN(TAG, "{%s:%" PRIu32 "} OnOpen=%p, OnClose=%p", name, id, cb->OnOpen,
-			          cb->OnClose);
-	}
 }
 
 static UINT dvcman_call_on_receive(DVCMAN_CHANNEL* channel, wStream* data)

libfreerdp/crypto/tls.c

@@ -1686,8 +1686,14 @@ int tls_verify_certificate(rdpTls* tls, const rdpCertificate* cert, const char*
 		}
 	}
 	/* ignore certificate verification if user explicitly required it (discouraged) */
-	else if (tls->context->settings->IgnoreCertificate)
+	else if (freerdp_settings_get_bool(tls->context->settings, FreeRDP_IgnoreCertificate))
+	{
+		WLog_WARN(TAG, "[DANGER] Certificate not checked, /cert:ignore in use.");
+		WLog_WARN(TAG, "[DANGER] This prevents MITM attacks from being detected!");
+		WLog_WARN(TAG,
+		          "[DANGER] Avoid using this unless in a secure LAN (=no internet) environment");
 		verification_status = 1; /* success! */
+	}
 	else if (!tls->isGatewayTransport && (tls->context->settings->AuthenticationLevel == 0))
 		verification_status = 1; /* success! */
 	else