Bug 114945 - Please set the libsoup property "ssl-use-system-ca-file" to True by default
Summary: Please set the libsoup property "ssl-use-system-ca-file" to True by default
Status: UNCONFIRMED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-22 02:32 PDT by Michael Vogt
Modified: 2017-03-11 10:52 PST (History)
6 users (show)

See Also:

Attachments
change global WebCore::ResourceHandle::setIgnoreSSLErrors() default (630 bytes, patch)
2013-04-25 09:32 PDT, Michael Vogt 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Vogt 2013-04-22 02:32:36 PDT 
I recently stumbled over https://bugzilla.gnome.org/show_bug.cgi?id=666280 in a project of mine again.

In a nutshell, the issue is that libsoup will not do SSL certification checking by default unless its
explicitly enabled. This is documented in libsoup and my bugreport about this (from 2011) got rejected
on the grounds that its documented behaviour.

In the libsoup bugreport Gustavo Noronha mentions that you may consider setting this in webkkitgtk by
default. I would like to ask for this again as I almost forgot to set it in a new project of mine that
uses webkitgtk and talks to a SSL server.

The following (pygi) code is needed, I'm happy to do a proper patch for the C webkitgtk is there is a
chance that my patch gets accepted. The pygi code:
"""
session = WebKit.get_default_session()
session.set_property("ssl-use-system-ca-file", True)
"""

Thanks for considering,
 Michael
Comment 1 Gustavo Noronha (kov) 2013-04-24 10:18:18 PDT 
This is non-wk2, I would be OK with setting this by default, anyone against?
Comment 2 Martin Robinson 2013-04-24 10:20:40 PDT 
(In reply to comment #1)
> This is non-wk2, I would be OK with setting this by default, anyone against?

Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates?
Comment 3 Sergio Villar Senin 2013-04-24 10:23:52 PDT 
(In reply to comment #2)
> (In reply to comment #1)
> > This is non-wk2, I would be OK with setting this by default, anyone against?
> 
> Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates?

I think that change was discarded in the past precisely because of that reason.
Comment 4 Michael Vogt 2013-04-24 11:29:11 PDT 
I do understand the concern about backward comparability so maybe it can be done with the next API break? 

Having the user to read and learn how to make it check certificates by default seems the wrong way around, I think it should be "secure" by default and if the user does not want this, he/she can disable it via the property.

Like I said, I'm happy to work on a patch, but I (obviously) don't want to spend time on it if it has no chance of getting merged.
Comment 5 Dan Winship 2013-04-24 11:30:27 PDT 
"the next API break" is webkit2, and I believe this is already the default there
Comment 6 Michael Vogt 2013-04-25 09:32:22 PDT 
Created attachment 199672 [details]
change global WebCore::ResourceHandle::setIgnoreSSLErrors() default

Thanks Dan for your reply.

Pardon my ignorance, but I checked out the git tree of webkit and greped for ssl-use-system-ca-file, ssl-strict, ssl-ca-file and only found references to this in Source/WebKit/efl.

Looking at webkitglobs.cpp I see webkitInit() is currently using:
  WebCore::ResourceHandle::setIgnoreSSLErrors(true);
which seems to indicate the default is to not check certificates.

The comment in https://bugs.webkit.org/show_bug.cgi?id=90267#c17 indicates that the plan is to change the default once there is UI for this. But I don't know the status of this unfortunately.

Thanks,
 Michael