I recently stumbled over https://bugzilla.gnome.org/show_bug.cgi?id=666280 in a project of mine again.
In a nutshell, the issue is that libsoup will not do SSL certification checking by default unless its
explicitly enabled. This is documented in libsoup and my bugreport about this (from 2011) got rejected
on the grounds that its documented behaviour.
In the libsoup bugreport Gustavo Noronha mentions that you may consider setting this in webkkitgtk by
default. I would like to ask for this again as I almost forgot to set it in a new project of mine that
uses webkitgtk and talks to a SSL server.
The following (pygi) code is needed, I'm happy to do a proper patch for the C webkitgtk is there is a
chance that my patch gets accepted. The pygi code:
session = WebKit.get_default_session()
Thanks for considering,
This is non-wk2, I would be OK with setting this by default, anyone against?
(In reply to comment #1)
> This is non-wk2, I would be OK with setting this by default, anyone against?
Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates?
(In reply to comment #2)
> (In reply to comment #1)
> > This is non-wk2, I would be OK with setting this by default, anyone against?
> Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates?
I think that change was discarded in the past precisely because of that reason.
I do understand the concern about backward comparability so maybe it can be done with the next API break?
Having the user to read and learn how to make it check certificates by default seems the wrong way around, I think it should be "secure" by default and if the user does not want this, he/she can disable it via the property.
Like I said, I'm happy to work on a patch, but I (obviously) don't want to spend time on it if it has no chance of getting merged.
"the next API break" is webkit2, and I believe this is already the default there
Created attachment 199672 [details]
change global WebCore::ResourceHandle::setIgnoreSSLErrors() default
Thanks Dan for your reply.
Pardon my ignorance, but I checked out the git tree of webkit and greped for ssl-use-system-ca-file, ssl-strict, ssl-ca-file and only found references to this in Source/WebKit/efl.
Looking at webkitglobs.cpp I see webkitInit() is currently using:
which seems to indicate the default is to not check certificates.
The comment in https://bugs.webkit.org/show_bug.cgi?id=90267#c17 indicates that the plan is to change the default once there is UI for this. But I don't know the status of this unfortunately.