Hi Mark, On 07/31/09 02:13 AM, Mark Martin wrote: > Seems like we went from the prior WebKit (2008/782) requiring an > override to accept all SSL to having that behavior by default. > Yes, since the http backend was switched from libcURL to libsoup, the default behavior was changed in the latest WebKit to compare with the last one (2008/782). > As in the original case (2008/782), this certainly seems appropriate for > a documentation admonishment. I'd say that'd be quite a violation of > user expectation to silently, by default, accept all certificates. I > believe the stakes are raised, so I'm not sure if the "NOTES" section is > the right place for this as it was in the last case. Before, risky > behavior was only available with an override to the > it-doesnt-work-at-all behavior. Now, it's the default. I don't know > what the answer is, though, if it's not NOTES. > > "Beware, all ye consumers of WebKit: unless you pass a certificate for > validation, SSL certificate validation is not enforced, and all > certificates are considered valid, including those that really aren't.". > > As for an RFE, could you clarify a little on that? An RFE to enable > users to pass the certificate in the first place? It's not even > available as delivered here? > Sorry for not making things clear. libsoup does provide the support for passing certificate through the soup session. But WebKit doesn't. This is consistent with the last case 2008/782. The RFE could be to add certain API to WebKit and enable user/WebKit consumers specified certificate by using that interface.
As for accepting certificates by default, we could roll back to the behavior of case 2008/782. That's to say, to disable https support by default. Currently, Evolution, which supports showing https pages, could be the only application in OpenSolaris that'll be impacted by this change. I think it's good to stress a little bit that there are no well known CA certificates shipped in OpenSolaris. So the https support has to be disabled for certain applications, including WebKit. Regards, -Alfred
