[webkit-gtk] [webkit-dev] Question on porting webkit to webkit2

Ben Greear greearb at candelatech.com
Wed Jan 31 13:54:02 PST 2018

On 01/31/2018 01:23 PM, Michael Catanzaro wrote:
> Hi,
> In the future, please use webkit-gtk at lists.webkit.org instead.

Thanks, I just subscribed to it.

> On Wed, Jan 31, 2018 at 12:05 PM, Ben Greear <greearb at candelatech.com> wrote:
>> I am unsure how to port this part....any ideas?
>>         SoupSession *s;
>>     s = webkit_web_context_get_default_session();
>>     g_object_set(G_OBJECT(s), "ssl-ca-file",
>>              "/etc/ssl/certs/ca-certificates.crt", NULL);
>>     g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
> Good news: you can just remove that code. Modern WebKitGTK+ automatically verifies TLS certificates using the system trust.
> The old version of WebKitGTK+ you were using before did not perform any certificate verification at all, so you had to grab the SoupSession and try to do it
> manually. That's not possible anymore, because the SoupSession lives in the network process, so WebKit must do it for you.
> One concern: I see you were setting ssl-strict to FALSE. That means libsoup would accept all certificates, and you must have some code elsewhere in your
> application to manually verify the certificates. Most applications got this wrong, either by not doing it at all, or by doing it too late, after sending an HTTP
> request. (It has to happen before the first HTTP request is sent, or your application will leak e.g. secure session cookies to any attacker.)

I am trying to port the osu client in the hostapd process.  Truth is, I don't really understand
why ssl-strict was originally set to false, maybe just to make testing easier.  This is mostly
just a demo tool to test out certain hotspot 2.0 wifi related features, so leaking cookies or similar
is not a big concern in this case.

In case you or someone else has time to review the changes, here is the patch I am working on



Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

More information about the webkit-gtk mailing list