Bug 79657 - [WK2] [GTK] [libsoup] SoupSession should use system CA
Summary: [WK2] [GTK] [libsoup] SoupSession should use system CA
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sergio Villar Senin
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-27 03:40 PST by Sergio Villar Senin
Modified: 2012-03-01 04:52 PST (History)
5 users (show)

See Also:


Attachments
Patch (3.19 KB, patch)
2012-02-27 03:58 PST, Sergio Villar Senin
no flags Details | Formatted Diff | Diff
Patch (5.04 KB, patch)
2012-02-28 07:58 PST, Sergio Villar Senin
no flags Details | Formatted Diff | Diff
Patch (2.77 KB, patch)
2012-02-29 08:12 PST, Sergio Villar Senin
mrobinson: review+
mrobinson: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sergio Villar Senin 2012-02-27 03:40:17 PST
As stated here https://bugs.webkit.org/show_bug.cgi?id=68602#c24 libsoup should use the available system CA list to validate SSL certificates. Enabling that caused several regressions (see https://bugs.webkit.org/show_bug.cgi?id=68602#c27).
Comment 1 Sergio Villar Senin 2012-02-27 03:58:24 PST
Created attachment 129008 [details]
Patch
Comment 2 Martin Robinson 2012-02-27 08:50:06 PST
Comment on attachment 129008 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=129008&action=review

Looks good, but this needs to be expanded for WKTR.

> Tools/DumpRenderTree/gtk/DumpRenderTree.cpp:597
> +    /* Do not use strict certificate validation for tests. */
> +    g_object_set(session, SOUP_SESSION_SSL_STRICT, FALSE, NULL);
> +

You'll also need to do this for WebKitTestRunner.
Comment 3 Sergio Villar Senin 2012-02-28 07:58:25 PST
Created attachment 129254 [details]
Patch
Comment 4 Martin Robinson 2012-02-28 09:52:04 PST
Comment on attachment 129254 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=129254&action=review

> Source/WebKit2/WebProcess/InjectedBundle/InjectedBundle.cpp:236
> +    g_object_set(session, SOUP_SESSION_SSL_STRICT, FALSE, NULL);

The more I think this, the more I wonder if this should be in ResourceHandleSoup.cpp as well. Sergio and Dan, any thoughts about this?
Comment 5 Sergio Villar Senin 2012-02-28 10:20:35 PST
(In reply to comment #4)
> (From update of attachment 129254 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=129254&action=review
> 
> > Source/WebKit2/WebProcess/InjectedBundle/InjectedBundle.cpp:236
> > +    g_object_set(session, SOUP_SESSION_SSL_STRICT, FALSE, NULL);
> 
> The more I think this, the more I wonder if this should be in ResourceHandleSoup.cpp as well. Sergio and Dan, any thoughts about this?

If we do that then we must add some sort of "This certificate seems to be invalid/expired/whatever. Do you want to accept this certificate anyway?" dialog (as we will be accepting invalid certificates). IMO we do not need to do that as I haven't seen any major issue related to certificate handling.
Comment 6 Martin Robinson 2012-02-28 11:35:10 PST
(In reply to comment #5)

> If we do that then we must add some sort of "This certificate seems to be invalid/expired/whatever. Do you want to accept this certificate anyway?" dialog (as we will be accepting invalid certificates). IMO we do not need to do that as I haven't seen any major issue related to certificate handling.

Doesn't Soup support this kind of operation? 

My concern with this patch is that by flipping this flag in ResouceHandleSoup, we'll be preventing sites from loading that used to load before. This will break downstream applications until they turn off strict SSL handling. Is this a valid concern or have I just misunderstood the situation?
Comment 7 Dan Winship 2012-02-28 12:09:20 PST
(In reply to comment #6)
> (In reply to comment #5)
> 
> > If we do that then we must add some sort of "This certificate seems to be invalid/expired/whatever. Do you want to accept this certificate anyway?" dialog (as we will be accepting invalid certificates).
> 
> Doesn't Soup support this kind of operation? 

libsoup doesn't do any UI stuff. If the app knows that SSL_STRICT has been set FALSE, then it can watch for various signals and such to know when it needs to present such a dialog itself, but if not, then setting SSL_STRICT to FALSE is exactly the same as just not setting USE_SYSTEM_CA_FILE. Just slower.

Moreover, if the app was previously setting its own SSL_CA_FILE, and just assuming that SSL_STRICT had its default value of TRUE, then having WebKit set it FALSE by default would render the app insecure (since it would be expecting invalid certificates to be rejected, but they wouldn't be).

So I guess we can't do this without breaking API... maybe do it in wk2 only?
Comment 8 Martin Robinson 2012-02-28 12:12:54 PST
(In reply to comment #7)

> So I guess we can't do this without breaking API... maybe do it in wk2 only?

Sounds like WebKit2-only is the best option. :( Let's keep this in mind if we ever break WebKit1 API.
Comment 9 Sergio Villar Senin 2012-02-28 23:45:05 PST
(In reply to comment #7)
> Moreover, if the app was previously setting its own SSL_CA_FILE, and just assuming that SSL_STRICT had its default value of TRUE, then having WebKit set it FALSE by default would render the app insecure (since it would be expecting invalid certificates to be rejected, but they wouldn't be).
> 
> So I guess we can't do this without breaking API... maybe do it in wk2 only?

Let's clarify this, this patch *does not* set SSL strict to FALSE for WebKit clients. It will do it only for testing purpouses, i.e, it will only be set to FALSE for WebKitTestRunner and DumpRenderTree.
Comment 10 Martin Robinson 2012-02-28 23:51:23 PST
(In reply to comment #9)
> > So I guess we can't do this without breaking API... maybe do it in wk2 only?
> 
> Let's clarify this, this patch *does not* set SSL strict to FALSE for WebKit clients. It will do it only for testing purpouses, i.e, it will only be set to FALSE for WebKitTestRunner and DumpRenderTree.

From what I understand this is an API break, because applications will fail to load sites that they could load just fine in the past -- or is that not the case?
Comment 11 Sergio Villar Senin 2012-02-29 00:02:22 PST
(In reply to comment #10)
> (In reply to comment #9)
> > > So I guess we can't do this without breaking API... maybe do it in wk2 only?
> > 
> > Let's clarify this, this patch *does not* set SSL strict to FALSE for WebKit clients. It will do it only for testing purpouses, i.e, it will only be set to FALSE for WebKitTestRunner and DumpRenderTree.
> 
> From what I understand this is an API break, because applications will fail to load sites that they could load just fine in the past -- or is that not the case?

Unless I'm missing something I don't think this will break any application.
Comment 12 Dan Winship 2012-02-29 07:14:34 PST
(In reply to comment #11)
> Unless I'm missing something I don't think this will break any application.

It will. Note that SSL_STRICT was tacked on after the fact and has confusing semantics because we didn't think it through enough at the time. SSL_STRICT=TRUE doesn't mean "be strict", it means "be strict if SSL_CA_FILE or USE_SYSTEM_CA_FILE is also set, and non-strict if not".

So, with WebKit's current behavior, an app that doesn't set any SSL-related options will accept all certificates.

If we commit your patch as is, then an app that doesn't set any SSL-related options will now start rejecting all certificates that aren't signed by one of the system CAs, which is essentially an API break. (It doesn't break epiphany, because epiphany unsets SSL_STRICT itself.)

If we commit your patch and also unset SSL_STRICT (as Martin suggested in comment 4), then that avoids that problem, but causes the opposite problem; apps that were previously setting SSL_CA_FILE or USE_SYSTEM_CA_FILE but not changing the setting of SSL_STRICT will now suddenly start accepting all certificates, instead of only accepting acceptable ones.
Comment 13 Sergio Villar Senin 2012-02-29 07:32:12 PST
(In reply to comment #12)
> (In reply to comment #11)
> > Unless I'm missing something I don't think this will break any application.
> 
> It will. Note that SSL_STRICT was tacked on after the fact and has confusing semantics because we didn't think it through enough at the time. SSL_STRICT=TRUE doesn't mean "be strict", it means "be strict if SSL_CA_FILE or USE_SYSTEM_CA_FILE is also set, and non-strict if not".
> 
> So, with WebKit's current behavior, an app that doesn't set any SSL-related options will accept all certificates.

Yeah indeed, I was wrongly assuming that rejecting certificates was the default policy.

So, I guess we should remove the USE_SYSTEM_CA_FILE from ResourceHandleSoup and move it to WK2 initialization specific code. How does it sound Martin?
Comment 14 Martin Robinson 2012-02-29 07:57:41 PST
(In reply to comment #13)

> So, I guess we should remove the USE_SYSTEM_CA_FILE from ResourceHandleSoup and move it to WK2 initialization specific code. How does it sound Martin?

Yeah, let's do that. Now that I understand the scope of the problem, this sounds like the best plan.
Comment 15 Sergio Villar Senin 2012-02-29 08:12:19 PST
Created attachment 129453 [details]
Patch
Comment 16 Martin Robinson 2012-02-29 14:26:31 PST
Comment on attachment 129453 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=129453&action=review

> Source/WebKit2/WebProcess/InjectedBundle/InjectedBundle.cpp:236
> +    SoupSession* session = WebCore::ResourceHandle::defaultSession();
> +    g_object_set(session, SOUP_SESSION_SSL_STRICT, FALSE, NULL);

I'm really sorry about this back and forth in this patch, I really am. Before landing I think we should move this to Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp. Later we can add API to WebKit2 to expose certificate errors to the client. By default it would accept broken certificates.
Comment 17 Sergio Villar Senin 2012-03-01 04:52:07 PST
Committed r109338: <http://trac.webkit.org/changeset/109338>