[Webkit-unassigned] [Bug 187679] [Curl] Add allowSpecificHTTPSCertificateForHost support.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 28 10:26:53 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=187679
--- Comment #14 from Basuke Suzuki <Basuke.Suzuki at sony.com> ---
(In reply to Fujii Hironori from comment #13)
> FWIW, theoretically it is possible to post
> decidePolicyForAuthenticationChallenge callback while verify_callback is
> called by blocking the curl thread.
We can pause it, but then entire curl thread may be blocked. Currently there's no way to pause specific curl communication while curl is trying to connect to the ssl server. There is a similar situation while getting a header via curl callback and pausing from such callback is officially allowed without blocking entire thread. The idea above to send a patch to libcurl may be similar approach.
> (In reply to Basuke Suzuki from comment #8)
> > To ignore verification error not using above way, it is possible to disable
> > validation for specific session, but it doesn't check the received
> > certificate. Any certificate sent from the server is accepted for that
> > connection. It should be ignore specific certificates for the host.
>
> This is a bad idea. User agents shouldn't continue a handshake and receive
> data without user consent of accepting the invalid cert.
Of cause this must happen after user's confirmation. This describes how to ignore invalid certificate after user allow us to communicate to the server. But still, as I said in the last sentence, ignoring entire validation for the host is not good idea. It should be checked with (host, certificates) pair which is allowed by the user.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181128/cc74539c/attachment.html>
More information about the webkit-unassigned
mailing list