[webkit-dev] About https support of WebKitGTK

Alfred Peng alfred.peng at gmail.com
Fri Jun 26 20:22:49 PDT 2009


Hi Dan,

Thanks for the information! To patch the source code to disable https
looks good to me as a temporary solution.

Best,
-Alfred

On Sat, Jun 27, 2009 at 5:09 AM, Dan Winship<danw at gnome.org> wrote:
> On 06/24/2009 04:57 AM, Alfred Peng wrote:
>> The latest WebKitGTK 1.1.10 has switched to use libsoup as the default
>> backend (The HTTP Authentication dialog looks good BTW). And it
>> supports https by default. As I check the WebKitGTK source code,
>> WebKitGTK calls soup_session_async_new to create SoupSession. With
>> this session, WebKitGTK accepts all SSL certificates automatically
>> instead of checking against certain SSL Certificate Authorities. This
>> approach looks not so secure, for Epiphany for example.
>>
>> Is there any plan to improve this situation in the future development
>> (Maybe before GNOME 2.28 release)? Is there any setting to disable
>> https support for now like we did for cURL backend?
>
> If you wanted to disable https support, you could add this somewhere:
>
>    g_object_set (webkit_get_default_session (),
>                  SOUP_SESSION_SSL_CA_FILE, "/dev/null",
>                  NULL);
>
> and that will cause all SSL connections to fail. (Of course, instead of
> pointing it to "/dev/null", you could also point it to an x509 file
> containing the certs of trusted certificate authorities, in which case
> it would accept correctly-named non-expired certificates signed by one
> of those CAs, and reject all others.)
>
> There is not currently any way to let the application decide on a
> case-by-case basis whether or not to accept a certificate. There's a bug
> about it somewhere in bugzilla (bugzilla.gnome.org that is, libsoup
> product), but I'm not actively working on it because IMHO letting the
> user decide whether or not to accept a certificate is not actually an
> "improvement" in terms of either usability or security. YMMV. Patches
> accepted. Note also that I'm not an Epiphany or WebKitGTK developer, and
> I'm not sure what they think about this (though I've never seen it on
> any of the lists of "things we need to get done for Epiphany 2.28").
>
> -- Dan
>


More information about the webkit-dev mailing list