Re: [SyncEvolution] SSL related regression in 1.5.3
On Mon, 2018-01-22 at 22:07 +0100, Tino Mettler wrote: > On Wed, Jan 17, 2018 at 10:51:56 +0100, Patrick Ohly wrote: > > Yes, that's it: https://developer.gnome.org/libsoup/stable/libsoup- > > sess > > ion-porting.html mentions that the default has changed. > > > > So this might work: > > > > > > // use CA certificates if available and needed, > > // otherwise let soup use system default certificates > > if (m_verifySSL) { > > if (!m_cacerts.empty()) { > > g_object_set(m_session.get(), SOUP_SESSION_SSL_CA_FILE, > > m_cacerts.c_str(), NULL); > > } > > } else { > > // Checking enabled by default, disable it. > > g_object_set(m_session.get(), SOUP_SESSION_SSL_STRICT, > > false, > > NULL); > > } > > Hi, > > it worked for me. I included this patch in the 1.5.3 package that I > intend to upload this week. Thanks for testing. I'll do a 1.5.4 with the same fix, but better don't wait for it. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ___ SyncEvolution mailing list SyncEvolution@syncevolution.org https://lists.syncevolution.org/mailman/listinfo/syncevolution
Re: [SyncEvolution] SSL related regression in 1.5.3
On Wed, Jan 17, 2018 at 10:51:56 +0100, Patrick Ohly wrote: > Yes, that's it: https://developer.gnome.org/libsoup/stable/libsoup-sess > ion-porting.html mentions that the default has changed. > > So this might work: > > > // use CA certificates if available and needed, > // otherwise let soup use system default certificates > if (m_verifySSL) { > if (!m_cacerts.empty()) { > g_object_set(m_session.get(), SOUP_SESSION_SSL_CA_FILE, > m_cacerts.c_str(), NULL); > } > } else { > // Checking enabled by default, disable it. > g_object_set(m_session.get(), SOUP_SESSION_SSL_STRICT, false, > NULL); > } Hi, it worked for me. I included this patch in the 1.5.3 package that I intend to upload this week. Regards, Tino ___ SyncEvolution mailing list SyncEvolution@syncevolution.org https://lists.syncevolution.org/mailman/listinfo/syncevolution
Re: [SyncEvolution] SSL related regression in 1.5.3
On Wed, 2018-01-17 at 09:19 +0100, Tino Mettler wrote: > On Sun, Jan 14, 2018 at 21:37:36 +0100, Tino Mettler wrote: > > [...] > > > From my point of view, people using HTTPS this way (both set to 0) > > should just fix their setup, but I don't know if someone really is > > required to use such SSL settings. The description in the sample > > config reads as if "SSLVerifyHost" is disabled when setting > > "SSLVerifyServer" to 0. > > Hi Patrick, > > are you aware of possible setups that might require both config > variables set to 0? Only for testing, for example a server that runs with a self-signed certificate that was created for a different domain than the one currently used by the server. It's probably worthwhile to enable this again. I still need to look into it when I have the time. I'm not sure how it worked before: SoupTransportAgent::send() only sets the CA cert file when SSL checking is enabled (= either of the two options on). It doesn't (and never has) disabled SSL checking, so if that now happens to be enabled by default, then that's the problem. Yes, that's it: https://developer.gnome.org/libsoup/stable/libsoup-sess ion-porting.html mentions that the default has changed. So this might work: // use CA certificates if available and needed, // otherwise let soup use system default certificates if (m_verifySSL) { if (!m_cacerts.empty()) { g_object_set(m_session.get(), SOUP_SESSION_SSL_CA_FILE, m_cacerts.c_str(), NULL); } } else { // Checking enabled by default, disable it. g_object_set(m_session.get(), SOUP_SESSION_SSL_STRICT, false, NULL); } -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. ___ SyncEvolution mailing list SyncEvolution@syncevolution.org https://lists.syncevolution.org/mailman/listinfo/syncevolution
Re: [SyncEvolution] SSL related regression in 1.5.3
On Sun, Jan 14, 2018 at 21:37:36 +0100, Tino Mettler wrote: [...] > From my point of view, people using HTTPS this way (both set to 0) > should just fix their setup, but I don't know if someone really is > required to use such SSL settings. The description in the sample > config reads as if "SSLVerifyHost" is disabled when setting > "SSLVerifyServer" to 0. Hi Patrick, are you aware of possible setups that might require both config variables set to 0? Regards, Tino ___ SyncEvolution mailing list SyncEvolution@syncevolution.org https://lists.syncevolution.org/mailman/listinfo/syncevolution
[SyncEvolution] SSL related regression in 1.5.3
Hi Patrick, while testing the 1.5.3 Debian package, I discovered a regression regarding the SSL settings. With the following setttings I only get soup a related error: SSLVerifyServer = 0 SSLVerifyHost = 0 The error message is: [INFO] SoupTransport Failure: https:///sync via libsoup: Unacceptable TLS certificate When I set both settings to 1, it works as intended. It also works when I set only one of both settings to 0, or set both to 1. >From my point of view, people using HTTPS this way (both set to 0) should just fix their setup, but I don't know if someone really is required to use such SSL settings. The description in the sample config reads as if "SSLVerifyHost" is disabled when setting "SSLVerifyServer" to 0. Regards, Tino ___ SyncEvolution mailing list SyncEvolution@syncevolution.org https://lists.syncevolution.org/mailman/listinfo/syncevolution