GNOME Bugzilla – Bug 754825
Allow to set SoupSession::ssl-ca-file to NULL
Last modified: 2018-09-21 16:23:16 UTC
It's currently not possible to set SoupSession::ssl-ca-file to NULL, this patch series fix that.
Created attachment 311059 [details] [review] Allow to set NULL SoupSession::ssl-ca-file
Created attachment 311060 [details] [review] ssl-ca: Add additional test
For a legacy SoupSession type, it's not clear that ssl-ca-file=NULL should imply ssl-use-system-ca-file=TRUE, given that the default value of the properties is ssl-ca-file=NULL, ssl-use-system-ca-file=FALSE. That is part of why this property is deprecated. Is there some reason you're using it? If you're setting it from some other value provided from elsewhere, the preferred way to do it is: if (ssl_ca_file != NULL) { tlsdb = g_tls_file_database_new (ssl_ca_file, &error); // error handling here } else tlsdb = NULL; g_object_set (session, SOUP_SESSION_TLS_DATABASE, tlsdb, NULL); In particular because of the "// error handling here", which you can't do with ssl-ca-file.
I'm using ssl-ca-file for el6 support as ssl-use-system-ca-file and tls-database are available since libsoup 2.38 while el6 only has 2.34. What I'm trying to achieve is to try a connection with a given CA, and if this fails, try again with the system CAs. Maybe the right way of handling that is to ask for a backport of ssl-use-system-ca-file and tls-database in el6.
Ah, this patch is definitely wrong then; setting ssl-ca-file=NULL in 2.34 doesn't mean "use system CAs", it means "use no CAs" (and just accept any certificate). If you want to use the system CAs, you have to explicitly set it to the path of the system CA file.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/libsoup/issues/85.