[webkit-gtk] TLS API in WebKit2

Carlos Garcia Campos cgarcia at igalia.com
Wed Jun 20 10:15:25 PDT 2012 

El mié, 20-06-2012 a las 12:25 -0400, Dan Winship escribió:
> On 06/20/2012 11:30 AM, Carlos Garcia Campos wrote:
> > As with the cookies, in WebKit2 we need to provide specific API for TLS
> > handling, because the network happens in the web process, and it's not
> > possible to access the soup session from the UI process.
> 
> Right. So, SoupSession's TLS-related properties are a complete disaster,
> so you definitely don't want an API that looks anything like that.

Ok ;-)

> > We want to support at least:
> > 
> >  - Set SOUP_SESSION_SSL_STRICT property. 
> 
> I think what you want is a signal basically like
> GTlsConnection::accept-certificate; WebKit would always be ssl-strict =
> FALSE internally, and when it got a response with a bad certificate, it
> would emit some signal to let the app decide whether or not to accept
> the response anyway. Or alternatively there could be an "always accept
> certs" property. Default should be to not do that though.

hmm, the problem is that we can't stop the load until the certificate is
accepted. From the api point of view, it makes a lot of sense and maybe
we could even use the generic permission request api added by Mario.
So, I think we could do the opposite, set ssl-strict = TRUE internally,
and handle the ssl-error emitting the new signal (or permission-request
if we decide to use the generic permission request api) instead of
load-error. The problem with this approach is that if the certificate is
affected the next request will fail again because ssl-strict is TRUE. 

> >  - Set SOUP_SESSION_USE_SYSTEM_CA_FILE property
> >  - Set SOUP_SESSION_TLS_DATABASE property
> 
> You definitely want ssl-use-system-ca-file = TRUE by default.
> 
> To support the tls-database property, you would have to write a
> GTlsDatabase implementation that proxied calls between the two
> processes. Then you could pass that tlsdb to libsoup in the network
> process, and have it talk to the tlsdb that the application gave you in
> the UI process. Since you presumably already have easy ways of
> communicating between the processes, this shouldn't be that hard. OTOH,
> I'm not really sure that letting the user provide their own tlsdb is
> really necessary, so maybe put this one off for now?
> 
> (You'd also need to be careful in the proxy GTlsDatabase implementation
> that it can't end up blocking the network process while waiting for the
> UI process.)

Ok, I think we really want ssl-use-system-ca-file = TRUE :-)

> > or at least provide a file to create a database object from the file
> 
> There's not really a whole lot of reason to create a database from a
> file other than the default system certdb, and if you did need to do
> that, you're just as likely to want to create it from a static string,
> or a GResource, or a GSetting value, etc. So I don't think we need to
> privilege file-based GTlsDatabases.

Ok.

> >  - Check SOUP_MESSAGE_CERTIFICATE_TRUSTED flag
> >  - Provide further information in case of SSL error (GTlCertificateFlags
> > and GTlsCertificate)
> >  - Provide access to the GTlsCertificate
> > 
> > Am I missing anything?
> 
> Client-side certificates, though of course, neither libsoup nor WebKit
> nor epiphany/midori/etc support that currently. It works vaguely like
> authentication though; the request would fail with
> G_TLS_ERROR_CERTIFICATE_REQUIRED, and the app would have to somehow
> select a GTlsCertificate and pass it to the network process.
>
> I think the answer here though is that we need to wait until the
> underlying APIs are there, and then fit them into WK2.

Ok, hopefully we can add the required api later without breaking the
existing API.

> > SOUP_MESSAGE_CERTIFICATE_TRUSTED flag could be exposed by
> > WebKitURIRequest and WebKitURIResponse APIs, something like
> > webkit_uri_response_is_certificate_trusted() or something similar.
> 
> An enum would probably work better: there's plain http, https with an
> untrusted cert, https with a trusted cert, and https with an EV cert.
> (Anything else that we need to distinguish in the UI?)

I don't know :-P

> > It looks a bit weird having the certificate and the
> > flags in the view though
> 
> Yeah, it does.
>
> -- Dan
> 
> 

Thanks for you help!

-- 
Carlos Garcia Campos
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xF3D322D0EC4582C3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.webkit.org/pipermail/webkit-gtk/attachments/20120620/44140622/attachment.bin>

More information about the webkit-gtk mailing list