[webkit-gtk] [webkit-dev] Question on porting webkit to webkit2

Ben Greear greearb at candelatech.com
Wed Jan 31 13:54:02 PST 2018


On 01/31/2018 01:23 PM, Michael Catanzaro wrote:
>
> Hi,
>
> In the future, please use webkit-gtk at lists.webkit.org instead.

Thanks, I just subscribed to it.

>
> On Wed, Jan 31, 2018 at 12:05 PM, Ben Greear <greearb at candelatech.com> wrote:
>> I am unsure how to port this part....any ideas?
>>
>>         SoupSession *s;
>>
>>     s = webkit_web_context_get_default_session();
>>     g_object_set(G_OBJECT(s), "ssl-ca-file",
>>              "/etc/ssl/certs/ca-certificates.crt", NULL);
>>     g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
>
> Good news: you can just remove that code. Modern WebKitGTK+ automatically verifies TLS certificates using the system trust.
>
> The old version of WebKitGTK+ you were using before did not perform any certificate verification at all, so you had to grab the SoupSession and try to do it
> manually. That's not possible anymore, because the SoupSession lives in the network process, so WebKit must do it for you.
>
> One concern: I see you were setting ssl-strict to FALSE. That means libsoup would accept all certificates, and you must have some code elsewhere in your
> application to manually verify the certificates. Most applications got this wrong, either by not doing it at all, or by doing it too late, after sending an HTTP
> request. (It has to happen before the first HTTP request is sent, or your application will leak e.g. secure session cookies to any attacker.)

I am trying to port the osu client in the hostapd process.  Truth is, I don't really understand
why ssl-strict was originally set to false, maybe just to make testing easier.  This is mostly
just a demo tool to test out certain hotspot 2.0 wifi related features, so leaking cookies or similar
is not a big concern in this case.

In case you or someone else has time to review the changes, here is the patch I am working on
testing:

https://github.com/greearb/hostap-ct/commit/8f5aa3ecd4f0e6c23eff848e542bc1ff4d230af7

Thanks,
Ben


-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the webkit-gtk mailing list