GNOME Bugzilla – Bug 666280
Please make ssl-strict strict when there is no ca-file loaded
Last modified: 2011-12-16 14:10:15 UTC
Created attachment 203580 [details] [review] patch to make connections fail if ssl-strict is set but no ssl-ca-file is used The current behavior of libsoup is that if there is no ssl-ca-file set but ssl-strict is set to True it will accept any certificate. While technically it makes sense I think its not what most users expect when reading the API documentation for ssl-strict. I think a better default is that if there is no ssl-ca-file and ssl-strict is set it should fail any ssl connection. So that its a conscious decision by the developer to turn it off. I attach a very basic patch for this. Alternatively it could be a different error code with a message like "ERROR: ssl-strict checking requested but no ssl-ca-file provided" (that requires some more work though).
Comment on attachment 203580 [details] [review] patch to make connections fail if ssl-strict is set but no ssl-ca-file is used This is a documentation problem then; changing the behavior would be an ABI break. FWIW, in libsoup 2.38, there will be a property you can set on SoupSession to make it use "sane" defaults rather than backwards-compatible ones. (http://git.mysterion.org/libsoup/commit/?h=features&id=0c8f8dd83a30d236a2c9a7bd4988ba90da1358c4)
Thanks for your quick reply (and also for your reply to #666276). The new option to enable better defaults looks very good indeed. Given these new options I wonder if there is a plan to to release a 3.0 version that breaks the backward-compatiblity at some point in the future? Or maybe even just break compatibility for the security defaults? Among other things having those defaults is nice for users who may not even be aware that they are using libsoup underneath (like e.g. python-webkit users).
We could consider setting those things in WebKitGTK+ itself by default, I guess. What do you think, Dan?
yes, i was assuming webkit would use it there will mostly likely be a libsoup-3.0 at some point in the future, but I don't know when
Thanks again Dan for your answer! Sorry for my nagging about this, but would you accept a patch that would issue a g_warning() is ssl-strict is set but no ssl-ca-file is set (or no ssl-ca-use-system-default) ? I'm happy to provide a patch if there is a chance that it gets accepted. Thanks, Michael
The problem here is just that "ssl-strict" is a bad name. It probably should have been "ssl-unstrict" (with the meanings of TRUE/FALSE reversed). But anyway, the point is that ssl-strict == TRUE doesn't really mean "be strict", it means "behave exactly like libsoup always behaved up until 2.30". And before 2.30, if ssl-ca-file was set, then it was was strict, and if ssl-ca-file wasn't set, then any certificate was accepted. So that's what ssl-strict==TRUE has to mean. I've updated the documentation a bit to clarify.
Created attachment 203676 [details] [review] Clarify the meaning of #SoupSession:ssl-strict and fix the Since tags on #SoupSession:ssl-use-system-ca-file and #SoupSession:tlsdb