UNCONFIRMED 114945
Please set the libsoup property "ssl-use-system-ca-file" to True by default 
https://bugs.webkit.org/show_bug.cgi?id=114945
Summary Please set the libsoup property "ssl-use-system-ca-file" to True by default
Michael Vogt
Reported 2013-04-22 02:32:36 PDT
I recently stumbled over https://bugzilla.gnome.org/show_bug.cgi?id=666280 in a project of mine again. In a nutshell, the issue is that libsoup will not do SSL certification checking by default unless its explicitly enabled. This is documented in libsoup and my bugreport about this (from 2011) got rejected on the grounds that its documented behaviour. In the libsoup bugreport Gustavo Noronha mentions that you may consider setting this in webkkitgtk by default. I would like to ask for this again as I almost forgot to set it in a new project of mine that uses webkitgtk and talks to a SSL server. The following (pygi) code is needed, I'm happy to do a proper patch for the C webkitgtk is there is a chance that my patch gets accepted. The pygi code: """ session = WebKit.get_default_session() session.set_property("ssl-use-system-ca-file", True) """ Thanks for considering, Michael
Attachments
change global WebCore::ResourceHandle::setIgnoreSSLErrors() default (630 bytes, patch)
2013-04-25 09:32 PDT, Michael Vogt 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gustavo Noronha (kov)
Comment 1 2013-04-24 10:18:18 PDT
This is non-wk2, I would be OK with setting this by default, anyone against?
Martin Robinson
Comment 2 2013-04-24 10:20:40 PDT
(In reply to comment #1) > This is non-wk2, I would be OK with setting this by default, anyone against? Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates?
Sergio Villar Senin
Comment 3 2013-04-24 10:23:52 PDT
(In reply to comment #2) > (In reply to comment #1) > > This is non-wk2, I would be OK with setting this by default, anyone against? > > Couldn't this change potentially break any existing applications that rely on accessing sites with invalid certificates? I think that change was discarded in the past precisely because of that reason.
Michael Vogt
Comment 4 2013-04-24 11:29:11 PDT
I do understand the concern about backward comparability so maybe it can be done with the next API break? Having the user to read and learn how to make it check certificates by default seems the wrong way around, I think it should be "secure" by default and if the user does not want this, he/she can disable it via the property. Like I said, I'm happy to work on a patch, but I (obviously) don't want to spend time on it if it has no chance of getting merged.
Dan Winship
Comment 5 2013-04-24 11:30:27 PDT
"the next API break" is webkit2, and I believe this is already the default there
Michael Vogt
Comment 6 2013-04-25 09:32:22 PDT
Created attachment 199672 [details] change global WebCore::ResourceHandle::setIgnoreSSLErrors() default Thanks Dan for your reply. Pardon my ignorance, but I checked out the git tree of webkit and greped for ssl-use-system-ca-file, ssl-strict, ssl-ca-file and only found references to this in Source/WebKit/efl. Looking at webkitglobs.cpp I see webkitInit() is currently using: WebCore::ResourceHandle::setIgnoreSSLErrors(true); which seems to indicate the default is to not check certificates. The comment in https://bugs.webkit.org/show_bug.cgi?id=90267#c17 indicates that the plan is to change the default once there is UI for this. But I don't know the status of this unfortunately. Thanks, Michael
Note You need to log in before you can comment on or make changes to this bug.