RESOLVED FIXED 175147
[Win] DRT should only allow any https certificate for localhost. 
https://bugs.webkit.org/show_bug.cgi?id=175147
Summary [Win] DRT should only allow any https certificate for localhost.
Per Arne Vollan
Reported 2017-08-03 12:38:41 PDT
The same restriction is enforced on macOS.
Attachments
Patch (3.27 KB, patch)
2017-08-03 13:13 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (3.29 KB, patch)
2017-08-03 13:21 PDT, Per Arne Vollan 		bfulgham: review+
bfulgham: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2017-08-03 13:13:26 PDT
Created attachment 317142 [details] Patch
Per Arne Vollan
Comment 2 2017-08-03 13:21:04 PDT
Created attachment 317144 [details] Patch
Alexey Proskuryakov
Comment 3 2017-08-03 15:04:56 PDT
Comment on attachment 317144 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=317144&action=review > Source/WebCore/ChangeLog:3 > + [Win] DRT should only allow any https certificate for localhost. Is SSL completely broken on Windows? There is a change in WebCore, what is its impact other than on testing?
Per Arne Vollan
Comment 4 2017-08-03 15:37:51 PDT
(In reply to Alexey Proskuryakov from comment #3) > Comment on attachment 317144 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=317144&action=review > > > Source/WebCore/ChangeLog:3 > > + [Win] DRT should only allow any https certificate for localhost. > > Is SSL completely broken on Windows? There is a change in WebCore, what is > its impact other than on testing? SSL works on Windows, but SSL tests are failing because the layout test certificate has expired. To work around this, I recently committed a change to allow any https certificate in layout tests, but this was not enough to get SSL tests to pass, since there appears to be a bug in CFNetwork on Windows where the certificate will not be accepted when the certificate chain validation is skipped. This is addressed in this patch, and I believe it only will impact WebKit on Windows clients which allow any https certificate. It actually makes the certificate check a little stricter when any https certificate is allowed, since the certificate chain validation is not skipped with this patch.
Per Arne Vollan
Comment 5 2017-08-09 11:01:25 PDT
I believe this patch fixes ~40 layout tests :)
Alexey Proskuryakov
Comment 6 2017-08-09 12:53:31 PDT
Brent or Alex would be the best reviewers for this change I think.
Brent Fulgham
Comment 7 2017-08-18 09:28:58 PDT
Comment on attachment 317144 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=317144&action=review r=me assuming you add the Radar reference I requested. > Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp:183 > CFDictionaryAddValue(sslProps.get(), kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse); Is this a bug in CFNetwork on Windows? Can you add a <rdar> reference for this, if it is? > Tools/DumpRenderTree/win/DumpRenderTree.cpp:1217 > + request->setAllowsAnyHTTPSCertificate(); This is a harmless check, but I'm not sure it's necessary since DRT only runs against servers we specify.
Per Arne Vollan
Comment 8 2017-08-21 09:35:55 PDT
(In reply to Brent Fulgham from comment #7) > Comment on attachment 317144 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=317144&action=review > > r=me assuming you add the Radar reference I requested. > > > Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp:183 > > CFDictionaryAddValue(sslProps.get(), kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse); > > Is this a bug in CFNetwork on Windows? Can you add a <rdar> reference for > this, if it is? Yes. I will add a <rdar> reference. Thanks for reviewing!
Per Arne Vollan
Comment 9 2017-08-21 10:22:42 PDT
Committed r220970: <https://trac.webkit.org/changeset/220970/webkit>
Radar WebKit Bug Importer
Comment 10 2017-11-17 13:42:07 PST
<rdar://problem/35622830>
Radar WebKit Bug Importer
Comment 11 2017-11-17 13:42:10 PST
<rdar://problem/35622831>
Note You need to log in before you can comment on or make changes to this bug.