GNOME Bugzilla – Bug 634425
port to gio tls
Last modified: 2011-09-30 00:42:11 UTC
Once gio has TLS support in glib 2.28, we need to make libsoup use it, addressing existing libsoup TLS bugs in the process: - Bug 334021 - client SSL certificate support We will need to proxy the need-certificate signal from the GTlsConnection to the SoupSession, and possibly provide a way to specify a certificate ahead of time. - Bug 507801 - Certificates and private keys can be passed to libsoup only as file names GTlsCertificates can be constructed from strings or byte arrays. We will need to provide some way of passing certificates to a SoupSession/SoupServer - Bug 507802 - Certificate validation is too strict for some use cases We'd need to proxy the accept-certificate signal from the GTlsConnection, and GTlsCertificate should have additional methods to get the relevant name/ID of the certificate. (Even without GTlsCertificate API, this could be implemented by reimporting the raw cert data into your TLS library of choice and using that to parse it.) - Bug 543455 - Recognize an environment variable for default SSL CA file There should be a SoupSession option to use the system CA file with strict validation, and GVFS and other apps should be updated to use it. (possibly via a SOUP_TYPE_GNOME_FEATURES_3_0 feature). Possibly there could also be a gio-level environment variable to always force G_TLS_VALIDATE_ALL even if the app specifies otherwise. - Bug 547881 - Missing CRL support GIO TLS doesn't yet have CRL support, but this is easy enough. libsoup would need to provide ways of adding CRLs (or perhaps the GIO API should be global-ish; if a certificate has been revoked, it should be revoked in all parts of the app, not just the part that made the "add_crl" call...) - Bug 581342 - gnutls problems with SSL3 compat The title there is now wrong; this isn't really gnutls specific. This will need to be implemented at the libsoup level at any rate, since in some cases we will need to retry after attempting a CONNECT. - Bug 632220 - Add new property to SoupMessage to get certificate list This would be a GTlsCertificate chain
*** Bug 334021 has been marked as a duplicate of this bug. ***
*** Bug 507801 has been marked as a duplicate of this bug. ***
*** Bug 507802 has been marked as a duplicate of this bug. ***
*** Bug 547881 has been marked as a duplicate of this bug. ***
*** Bug 632220 has been marked as a duplicate of this bug. ***
*** Bug 621791 has been marked as a duplicate of this bug. ***
gio-tls support is now pushed to libsoup master. Updates on the specific sub-bugs to come later...
(In reply to comment #0) > - Bug 334021 - client SSL certificate support still not done, and I reopened that bug > - Bug 507801 - Certificates and private keys can be passed to libsoup > only as file names Fixed as of today in master; you can pass a GTlsDatabase to SoupSession, or a GTlsCertificate to SoupServer. > - Bug 507802 - Certificate validation is too strict for some use cases Fixed since libsoup 2.34 / GNOME 3.0. You can set #SoupSession:ssl-strict to %FALSE to get it to speak to servers with unacceptable certificates, and then examine #SoupMessage:tls-certificate and #SoupMessage:tls-errors on each message. > - Bug 543455 - Recognize an environment variable for default SSL CA file Not done yet, and that bug is still open. > - Bug 547881 - Missing CRL support Now glib-networking's problem. Bug 636573. > - Bug 581342 - gnutls problems with SSL3 compat Fixed in libsoup 2.36 / GNOME 3.2. > - Bug 632220 - Add new property to SoupMessage to get certificate list Fixed as described above. So, everything is either fixed, or being tracked in a different bug, so this bug can be closed.