[webkit-gtk] [webkit-dev] Question on porting webkit to webkit2
greearb at candelatech.com
Wed Jan 31 13:54:02 PST 2018
On 01/31/2018 01:23 PM, Michael Catanzaro wrote:
> In the future, please use webkit-gtk at lists.webkit.org instead.
Thanks, I just subscribed to it.
> On Wed, Jan 31, 2018 at 12:05 PM, Ben Greear <greearb at candelatech.com> wrote:
>> I am unsure how to port this part....any ideas?
>> SoupSession *s;
>> s = webkit_web_context_get_default_session();
>> g_object_set(G_OBJECT(s), "ssl-ca-file",
>> "/etc/ssl/certs/ca-certificates.crt", NULL);
>> g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
> Good news: you can just remove that code. Modern WebKitGTK+ automatically verifies TLS certificates using the system trust.
> The old version of WebKitGTK+ you were using before did not perform any certificate verification at all, so you had to grab the SoupSession and try to do it
> manually. That's not possible anymore, because the SoupSession lives in the network process, so WebKit must do it for you.
> One concern: I see you were setting ssl-strict to FALSE. That means libsoup would accept all certificates, and you must have some code elsewhere in your
> application to manually verify the certificates. Most applications got this wrong, either by not doing it at all, or by doing it too late, after sending an HTTP
> request. (It has to happen before the first HTTP request is sent, or your application will leak e.g. secure session cookies to any attacker.)
I am trying to port the osu client in the hostapd process. Truth is, I don't really understand
why ssl-strict was originally set to false, maybe just to make testing easier. This is mostly
just a demo tool to test out certain hotspot 2.0 wifi related features, so leaking cookies or similar
is not a big concern in this case.
In case you or someone else has time to review the changes, here is the patch I am working on
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the webkit-gtk