44769 2010-08-27 08:48:32 -0700 [Qt] Web Sockets are insecure with QtWebKit 2010-09-24 18:11:39 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) All All RESOLVED FIXED Qt, QtTriaged P2 Major --- 1 hausmann webkit-qt-unassigned ademar commit-queue laszlo.gombos markus yael oldest_to_newest 270517 0 hausmann 2010-08-27 08:48:32 -0700 The current Socket Stream Handle implementation, in particular SocketStreamHandlePrivate::socketSslErrors() causes ssl certificate errors to be ignored. For the QtWebKit 2.1 release we should either a) Disable web socket support or b) Abort the connection on ssl certificate errors. 279019 1 yael 2010-09-14 10:41:47 -0700 (In reply to comment #0) > The current Socket Stream Handle implementation, in particular SocketStreamHandlePrivate::socketSslErrors() causes ssl certificate errors to be ignored. > > For the QtWebKit 2.1 release we should either > > a) Disable web socket support > > or > > b) Abort the connection on ssl certificate errors. Can we abort the connection in WebKit 2.1, but not in webkit.org ? I'd like to be able to test with my Apache server, but it does not have a valid certificate :-) 280270 2 hausmann 2010-09-16 12:22:41 -0700 (In reply to comment #1) > (In reply to comment #0) > > The current Socket Stream Handle implementation, in particular SocketStreamHandlePrivate::socketSslErrors() causes ssl certificate errors to be ignored. > > > > For the QtWebKit 2.1 release we should either > > > > a) Disable web socket support > > > > or > > > > b) Abort the connection on ssl certificate errors. > > Can we abort the connection in WebKit 2.1, but not in webkit.org ? > I'd like to be able to test with my Apache server, but it does not have a valid certificate :-) Sure. Another option would be to make this behaviour depend on whether we're running in DRT mode or not. 281273 3 68025 yael 2010-09-19 08:09:53 -0700 Created attachment 68025 Patch. Throw an error when the websocket server certificate is not valid. Please note that currently DRT does not test secure websocket connections, so there is no impact to current layout tests. Once DRT gets back support for secure websocket connections, this patch will cause those tests to fail. If ok with you, let's apply this patch only to webkit 2.1, but not to trunk. I believe that Chromium is using the same approach. 282897 4 markus 2010-09-22 06:23:28 -0700 The patch looks good to me. At some point in the future we might want to forward the sslErrors signal to the user (=browser implementor) so he can handle it similar to the sslErrors signal that is coming from the QNetworkAccessManager. 284098 5 yael 2010-09-23 16:45:43 -0700 After talking to Laszlo today, I don't mind if this lands in the trunk. 284105 6 68025 kenneth 2010-09-23 16:52:38 -0700 Comment on attachment 68025 Patch. LGTM, r=me 284327 7 68025 yael 2010-09-24 05:31:45 -0700 Comment on attachment 68025 Patch. Thanks, Kenneth :-) 284329 8 68025 commit-queue 2010-09-24 05:44:53 -0700 Comment on attachment 68025 Patch. Clearing flags on attachment: 68025 Committed r68248: <http://trac.webkit.org/changeset/68248> 284330 9 commit-queue 2010-09-24 05:44:58 -0700 All reviewed patches have been landed. Closing bug. 284364 10 ademar 2010-09-24 07:17:37 -0700 Revision r68248 cherry-picked into qtwebkit-2.1 with commit a2fab5a <http://gitorious.org/webkit/qtwebkit/commit/a2fab5a> 284887 11 yael 2010-09-24 18:11:39 -0700 *** Bug 36655 has been marked as a duplicate of this bug. *** 68025 2010-09-19 08:09:53 -0700 2010-09-24 05:44:53 -0700 Patch. 44769.patch text/plain 1761 yael SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA2NzgxMSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTggQEAKKzIwMTAtMDktMTkgIFlhZWwgQWhhcm9uICA8eWFlbC5haGFyb25Abm9r aWEuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IFtRdF0gV2ViIFNvY2tldHMgYXJlIGluc2VjdXJlIHdpdGggUXRXZWJLaXQKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQ0NzY5CisKKyAgICAgICAgVGhy b3cgYW4gZXJyb3Igd2hlbiB0aGUgc2VydmVyIGNlcnRpZmljYXRlIGlzIG5vdCB2YWxpZC4KKyAg ICAgICAgRFJUIGN1cnJlbnRseSBkb2VzIG5vdCBzdXBwb3J0IHNlY3VyZSB3ZWJzb2NrZXQgY29u bmVjdGlvbiwKKyAgICAgICAgc28gbm8gbmV3IHRlc3RzLiBUaGlzIHdhcyB0ZXN0ZWQgd2l0aCB0 aGUgc2VydmVyIGF0IAorICAgICAgICBodHRwOi8vY29kZS5nb29nbGUuY29tL3AvcHl3ZWJzb2Nr ZXQgaW5zdGVhZC4KKworICAgICAgICAqIHBsYXRmb3JtL25ldHdvcmsvcXQvU29ja2V0U3RyZWFt SGFuZGxlUXQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6U29ja2V0U3RyZWFtSGFuZGxlUHJpdmF0 ZTo6c29ja2V0U3NsRXJyb3JzKToKKwogMjAxMC0wOS0xOSAgS2VudCBUYW11cmEgIDx0a2VudEBj aHJvbWl1bS5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGltaXRyaSBHbGF6a292LgpJbmRl eDogV2ViQ29yZS9wbGF0Zm9ybS9uZXR3b3JrL3F0L1NvY2tldFN0cmVhbUhhbmRsZVF0LmNwcAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBXZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvcXQvU29ja2V0U3RyZWFtSGFu ZGxlUXQuY3BwCShyZXZpc2lvbiA2NzYxMykKKysrIFdlYkNvcmUvcGxhdGZvcm0vbmV0d29yay9x dC9Tb2NrZXRTdHJlYW1IYW5kbGVRdC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTE0OCwxMiArMTQ4 LDkgQEAgdm9pZCBTb2NrZXRTdHJlYW1IYW5kbGVQcml2YXRlOjpzb2NrZXRFcgogfQogCiAjaWZu ZGVmIFFUX05PX09QRU5TU0wKLXZvaWQgU29ja2V0U3RyZWFtSGFuZGxlUHJpdmF0ZTo6c29ja2V0 U3NsRXJyb3JzKGNvbnN0IFFMaXN0PFFTc2xFcnJvcj4mKQordm9pZCBTb2NrZXRTdHJlYW1IYW5k bGVQcml2YXRlOjpzb2NrZXRTc2xFcnJvcnMoY29uc3QgUUxpc3Q8UVNzbEVycm9yPiYgZXJyb3Ip CiB7Ci0gICAgLy8gRklYTUU6IGJhc2VkIG9uIGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2Ry YWZ0LWhpeGllLXRoZXdlYnNvY2tldHByb3RvY29sLTY4I3BhZ2UtMTUKLSAgICAvLyB3ZSBzaG91 bGQgYWJvcnQgb24gY2VydGlmaWNhdGUgZXJyb3JzLgotICAgIC8vIFdlIGRvbid0IGFib3J0IHdo aWxlIHRoaXMgaXMgc3RpbGwgd29yayBpbiBwcm9ncmVzcy4KLSAgICBzdGF0aWNfY2FzdDxRU3Ns U29ja2V0Kj4obV9zb2NrZXQpLT5pZ25vcmVTc2xFcnJvcnMoKTsKKyAgICBRTWV0YU9iamVjdDo6 aW52b2tlTWV0aG9kKHRoaXMsICJzb2NrZXRFcnJvckNhbGxiYWNrIiwgUXQ6OlF1ZXVlZENvbm5l Y3Rpb24sIFFfQVJHKGludCwgZXJyb3JbMF0uZXJyb3IoKSkpOwogfQogI2VuZGlmCiAK