Bug 690176 – SOUP_STATUS_SSL_FAILED doesn't provide GTls certificate

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 690176 - SOUP_STATUS_SSL_FAILED doesn't provide GTls certificate


Summary:	SOUP_STATUS_SSL_FAILED doesn't provide GTls certificate


Status:	RESOLVED FIXED

Product:	libsoup
Classification:	Core
Component:	HTTP Transport
Version:	2.40.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Depends on:
Blocks:	690177

Reported:	2012-12-13 19:55 UTC by Milan Crha
Modified:	2013-01-10 15:25 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Milan Crha 2012-12-13 19:55:02 UTC

When I enable:
   SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
on a session and I try to connect to a server with https, but the server uses certificate which is not trusted, like a self-signed certificate, then I get status:
   SOUP_STATUS_SSL_FAILED
but the
   soup_message_get_https_status()
fails, while I would expect having those set, because I want to ask user whether he/she is fine with the certificate and hence I can continue with disabled
   SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, FALSE,
to connect to the server. Ideally, the SoupMessage/SoupSession should provide a signal for certificate trust prompt, but there are some issues about blocking in
GTlsConnection::accept-certificate signal, which may or may not be an issue. Nonetheless, having available certificate and certificate error after receiving SOUP_STATUS_SSL_FAILED is crucial to be able to prompt user for his/her decision.

I see the soup_message_set_https_status() being called, but (see comment #1 and comment #2)

Comment 1 Milan Crha 2012-12-13 19:56:37 UTC

for async session it's called as below, with NULL connection:

+ Trace 231293

#0 soup_message_set_https_status
at soup-message.c line 1910
#1 process_queue_item
at soup-session-async.c line 239
#2 run_queue
at soup-session-async.c line 307
#3 got_connection
at soup-session-async.c line 187
#4 socket_connect_finished
at soup-connection.c line 519
#5 handshake_async_ready
at soup-socket.c line 1159
#6 g_simple_async_result_complete
at gsimpleasyncresult.c line 775
#7 handshake_thread_completed
from /usr/lib64/gio/modules/libgiognutls.so
#8 g_simple_async_result_complete
at gsimpleasyncresult.c line 775
#9 complete_in_idle_cb_for_thread
at gsimpleasyncresult.c line 843
#10 g_main_dispatch
at gmain.c line 2715
#11 g_main_context_dispatch
at gmain.c line 3219
#12 g_main_context_iterate
at gmain.c line 3290
#13 g_main_context_iteration
at gmain.c line 3351
#14 soup_session_async_send_message
at soup-session-async.c line 392
#15 get_url
at get.c line 40
#16 main
at get.c line 253

Comment 2 Milan Crha 2012-12-13 19:57:35 UTC

and with sync it's called here, but the connection's 'sock' is NULL, thus no luck either:

+ Trace 231294

#0 soup_message_set_https_status
at soup-message.c line 1910
#1 get_connection
at soup-session-sync.c line 182
#2 process_queue_item
at soup-session-sync.c line 242
#3 soup_session_sync_send_message
at soup-session-sync.c line 334
#4 get_url
at get.c line 40
#5 main
at get.c line 253

Comment 3 Dan Winship 2012-12-14 12:45:04 UTC

hm... I thought libsoup's tests/ssl-test was ensuring that this worked, but I guess it only makes sure that it works in the success case.

Anyway, the way epiphany deals with this (ie, what you can do right now without waiting for a bugfix) is to set "ssl-strict" to FALSE on the session. Then the session will accept all certificates, but tls-errors will still be set on the messages with certificates it doesn't like, so you can call soup_message_get_https_status() on each https response before you actually use the data (eg, from a got-headers handler, or just from notify::tls-certificate), and decide whether or not to accept it.

(In reply to comment #0)
> Ideally, the SoupMessage/SoupSession should provide a
> signal for certificate trust prompt, but there are some issues about
> blocking in GTlsConnection::accept-certificate signal, which may or may
> not be an issue.

As of GNOME 3.6, TLS handshakes always happen in another thread, which was step 1 in addressing the blocking problem. The eventual fix we're slowly moving toward will probably involve extending GTlsInteraction to deal with this case, and then letting you set a GTlsInteraction on the session.

Comment 4 Milan Crha 2012-12-17 18:46:13 UTC

(In reply to comment #3)
> Anyway, the way epiphany deals with this...

It sounds like it's too late for security, especially when you already sent your credentials to the site.

Comment 5 Dan Winship 2012-12-18 14:05:10 UTC

notify::tls-certificate will be emitted immediately after the handshake, before anything HTTP-level is written, and if you soup_session_cancel_message() from there, then nothing should get written.

But yeah, someday there'll be nicer APIs.

Comment 6 Milan Crha 2013-01-07 18:28:34 UTC

I just tried it, and even the SoupMessage's notify::tls-certificate is called, it is never called with filled tls-certificate and tls-errors, in case of an SSL handshake failed error.

Comment 7 Milan Crha 2013-01-07 18:29:21 UTC

Oops, I'm sorry, comment #6 with libsoup-2.40.2-1.fc18.x86_64

Comment 8 Dan Winship 2013-01-07 22:03:37 UTC

OK, fixed in master.

(In reply to comment #0)
> fails, while I would expect having those set, because I want to ask user
> whether he/she is fine with the certificate and hence I can continue with
> disabled
>    SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, FALSE,
> to connect to the server.

I was going to say that this wouldn't work, because any persistent connections would still use the old value. But I guess you won't have any persistent connections to this host since they'll have failed with SSL errors, right? So it should work. (Or if not, just do a soup_session_abort() after changing it to close all the old connections.)

Also, it would be better to do

    SOUP_SESSION_SSL_STRICT, FALSE,

which is more semantically in-line with what you mean. The fact that having no CA file means "accept everything" rather than "accept nothing" is a historical mistake.

Comment 9 Milan Crha 2013-01-08 11:49:41 UTC

Thanks for the fix. Is the change backportable to stable? I'd like to use it as soon as possible, and it's a pita to depend on a development release of a dependency package (the evo projects usually use to depend on stable releases, to make life of the users/compilers easier).

By the way, I guess this is about these two commits:
http://git.gnome.org/browse/libsoup/commit/?id=c2ce0f99c1551161f
http://git.gnome.org/browse/libsoup/commit/?id=645d0943d61885d71

Comment 10 Milan Crha 2013-01-09 21:57:28 UTC

Never mind, I tried to apply it to stable, but it didn't work, the sources changed too much. I'll do some version checking in evolution/evolution-data-server for libsoup which supports this, aka for 2.41.3.

Comment 11 Dan Winship 2013-01-10 14:42:12 UTC

(In reply to comment #10)
> Never mind, I tried to apply it to stable, but it didn't work, the sources
> changed too much.

I've committed a 2.40-equivalent version of this patch (as well as bug 691399's) to the gnome-3-6 branch. "make check" passes, but further sanity-checking before Monday would be appreciated. (Actually, I guess there's no particular reason I have to put the 2.40.3 release out on Monday, but that's the current plan anyway.)

Comment 12 Milan Crha 2013-01-10 15:25:57 UTC

Thanks, I appreciate it. Both things work with gnome-3-6 branch at commit 8c0dd43. I'll use this libsoup until the release, and report any regression I would notice.