Hi Mark, Thanks for pointing this out.
The consumers of libsoup can point a file containing certificates for recognized SSL Certificate Authorities. HTTPS connections will be checked against these authorities, and rejected if they can't be verified (http://library.gnome.org/devel/libsoup/stable/libsoup-client-howto.html). On the WebKit side, it doesn't set any authorities and accepts all SSL certificates automatically. This could be a RFE for WebKit so that consumers of WebKit can pass the certificate for verification. Thanks, -Alfred On 07/24/09 01:37 AM, Mark Martin wrote: > Brian Cameron wrote: > >> The libcURL HTTP backend support has been removed from WebKit 1.1.x. >> The >> default HTTP backend is now libsoup. WebKit uses libsoup to verify >> the >> peer's certificates for HTTPS connections. Currently, WebKit accepts >> all >> SSL certificates automatically by default as libsoup doesn't support >> client SSL certificate. Meanwhile, libsoup is also used for HTTP auth >> handling with optional GNOME Keyring support. >> >> > > I had some concern regarding the SSL certifcate support mentioned here. > The research I've done indicates that libsoup would support certificate > validation if the app (i.e. consumers of WebKit?) passes a CA > certificate file, but by default, does not require this and exhibits the > behavior you describe. Could you please confirm this? That puts the > onus of providing CA certificate file configuration to consumers of the > WebKit library that want validation, correct?
