GNOME Bugzilla – Bug 543455
Add overrides for TLS CA files, CRLs, mandatory minimum validation flags
Last modified: 2017-10-17 14:37:17 UTC
gvfs should provide a way to specify a CA file to libsoup to validate the certificate of a https server it is accessing. Currently libsoup defaults to not validating the certificate, and there is no obvious way to override that default. An environment variable or gconf setting for the CA file would work.
Agreeed, but I guess we need something like a gobal certificate store somewhere (soup?).
Ideally there would be a global certificate store. Fedora is working on this: https://fedoraproject.org/wiki/FedoraCryptoConsolidation and I also see some discussion of certificates and libsoup in bug 507802. In the meantime, yes, let's move this to libsoup; then it will benefit Evolution's retrieval of calendars over https (another app I use) as well as gvfs. In fact, I wrote a small patch to libsoup that recognizes an environment variable SOUP_SSL_CA_FILE, and I have been using the patched libsoup as an interim solution; I'll attach the patch. Note that to affect gvfs, the environment variable has to be set quite early in the login process. On Fedora 9, I had to create my own script in /etc/X11/xinit/xinitrc.d that would source ~/.xprofile, and then I sent the environment variable there.
Created attachment 124547 [details] [review] Make libsoup recognize SOUP_SSL_CA_FILE environment variable Applies to Fedora 10's libsoup-2.24.2.1-1.fc10 .
So, in the context of libsoup, this enhancement request is: allow a default SSL CA file to be specified via environment variable for the benefit of apps that are too naive to let the user set the CA file, including gvfs and Evolution (for http calendars).
Except that won't work for gvfs, as http will be running out-of-band, in a process that's not spawned by the application.
gvfs checked the certificate just fine if I set the environment variable early enough in the xinit process that gvfsd picked it up.
oops, this got moved to libsoup but not reassigned
TLS code is being moved to gio (bug 588189) and libsoup will be ported to use that (bug 634425). The gio code defaults to draconian certificate validation using the system CA file, although libsoup will need to turn that off by default to preserve backward compatibility. It probably makes more sense to put this into gsettings than environment variables, and then the problem of setting it early enough in login is avoided.
Created attachment 178103 [details] [review] Make libsoup recognize SOUP_SSL_CA_FILE environment variable (applies to 2.32.1) For anyone still interested in the issue as originally reported, here is an updated patch that applies cleanly to libsoup 2.32.1.
This looks quite obsolete.