Brian Cameron wrote: > The libcURL HTTP backend support has been removed from WebKit 1.1.x. > The > default HTTP backend is now libsoup. WebKit uses libsoup to verify the > peer's certificates for HTTPS connections. Currently, WebKit accepts > all > SSL certificates automatically by default as libsoup doesn't support > client SSL certificate. Meanwhile, libsoup is also used for HTTP auth > handling with optional GNOME Keyring support. >
I had some concern regarding the SSL certifcate support mentioned here. The research I've done indicates that libsoup would support certificate validation if the app (i.e. consumers of WebKit?) passes a CA certificate file, but by default, does not require this and exhibits the behavior you describe. Could you please confirm this? That puts the onus of providing CA certificate file configuration to consumers of the WebKit library that want validation, correct?