Hi Dan, Thanks for the information! To patch the source code to disable https looks good to me as a temporary solution.
Best, -Alfred On Sat, Jun 27, 2009 at 5:09 AM, Dan Winship<d...@gnome.org> wrote: > On 06/24/2009 04:57 AM, Alfred Peng wrote: >> The latest WebKitGTK 1.1.10 has switched to use libsoup as the default >> backend (The HTTP Authentication dialog looks good BTW). And it >> supports https by default. As I check the WebKitGTK source code, >> WebKitGTK calls soup_session_async_new to create SoupSession. With >> this session, WebKitGTK accepts all SSL certificates automatically >> instead of checking against certain SSL Certificate Authorities. This >> approach looks not so secure, for Epiphany for example. >> >> Is there any plan to improve this situation in the future development >> (Maybe before GNOME 2.28 release)? Is there any setting to disable >> https support for now like we did for cURL backend? > > If you wanted to disable https support, you could add this somewhere: > > g_object_set (webkit_get_default_session (), > SOUP_SESSION_SSL_CA_FILE, "/dev/null", > NULL); > > and that will cause all SSL connections to fail. (Of course, instead of > pointing it to "/dev/null", you could also point it to an x509 file > containing the certs of trusted certificate authorities, in which case > it would accept correctly-named non-expired certificates signed by one > of those CAs, and reject all others.) > > There is not currently any way to let the application decide on a > case-by-case basis whether or not to accept a certificate. There's a bug > about it somewhere in bugzilla (bugzilla.gnome.org that is, libsoup > product), but I'm not actively working on it because IMHO letting the > user decide whether or not to accept a certificate is not actually an > "improvement" in terms of either usability or security. YMMV. Patches > accepted. Note also that I'm not an Epiphany or WebKitGTK developer, and > I'm not sure what they think about this (though I've never seen it on > any of the lists of "things we need to get done for Epiphany 2.28"). > > -- Dan > _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
