GNOME Bugzilla – Bug 772647
Perform TLS certificate verification
Last modified: 2021-05-25 11:42:26 UTC
I see libgrss is using SoupSessionSync. I believe this deprecated class performs no TLS certificate verification by default, and I don't see any code to turn it on (no use of the ssl-ca-file, tls-database, or ssl-strict properties), so I presume no certificate verification is occurring. The ideal solution would be to upgrade to modern SoupSession, which is secure by default.
(In reply to Michael Catanzaro from comment #0) > I see libgrss is using SoupSessionSync. I believe this deprecated class > performs no TLS certificate verification by default, and I don't see any > code to turn it on (no use of the ssl-ca-file, tls-database, or ssl-strict > properties), so I presume no certificate verification is occurring. > > The ideal solution would be to upgrade to modern SoupSession, which is > secure by default. I have some plans to refactor whole code of libgrss, but lack of time =(
Ah, well there is an easier way: just set the ssl-use-system-ca-file property of each SoupSession subclass to TRUE. Note that you create three SoupSessionSync and six SoupSessionAsync objects, so it has to be done in nine different places, but at least then you don't have to refactor anything.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new enhancement request ticket at https://gitlab.gnome.org/GNOME/libgrss/-/issues/ Thank you for your understanding and your help.
Moved to GitLab: https://gitlab.gnome.org/GNOME/libgrss/-/issues/4