Summary: | Please set the libsoup property "ssl-use-system-ca-file" to True by default | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Michael Vogt <michael.vogt> | ||||
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | UNCONFIRMED --- | ||||||
Severity: | Normal | CC: | bugs-noreply, cgarcia, danw, gustavo, mrobinson, svillar | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Michael Vogt
2013-04-22 02:32:36 PDT
This is non-wk2, I would be OK with setting this by default, anyone against? (In reply to comment #1) > This is non-wk2, I would be OK with setting this by default, anyone against? Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates? (In reply to comment #2) > (In reply to comment #1) > > This is non-wk2, I would be OK with setting this by default, anyone against? > > Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates? I think that change was discarded in the past precisely because of that reason. I do understand the concern about backward comparability so maybe it can be done with the next API break? Having the user to read and learn how to make it check certificates by default seems the wrong way around, I think it should be "secure" by default and if the user does not want this, he/she can disable it via the property. Like I said, I'm happy to work on a patch, but I (obviously) don't want to spend time on it if it has no chance of getting merged. "the next API break" is webkit2, and I believe this is already the default there Created attachment 199672 [details] change global WebCore::ResourceHandle::setIgnoreSSLErrors() default Thanks Dan for your reply. Pardon my ignorance, but I checked out the git tree of webkit and greped for ssl-use-system-ca-file, ssl-strict, ssl-ca-file and only found references to this in Source/WebKit/efl. Looking at webkitglobs.cpp I see webkitInit() is currently using: WebCore::ResourceHandle::setIgnoreSSLErrors(true); which seems to indicate the default is to not check certificates. The comment in https://bugs.webkit.org/show_bug.cgi?id=90267#c17 indicates that the plan is to change the default once there is UI for this. But I don't know the status of this unfortunately. Thanks, Michael |