Alfred Peng wrote: > Hi Darren/Mark, > > Before I started the arc case, I sent a query with regards to this HTTPS > support issue to the WebKit community. Dan Winship, the libsoup > developer, gave me some insight into the problem: > http://lists.macosforge.org/pipermail/webkit-dev/2009-June/008566.html. > > Roughly there are two points from the reply: > > - An x509 file containing the certificate can be passed to SoupSession > for verification. In this way, only the "correctly-named non-expired > certificates signed by one of those CAs" will be accepted, all others > will be rejected. From the libsoup client howto: > http://library.gnome.org/devel/libsoup/stable/libsoup-client-howto.html, > I think it's possible to make WebKit accept user-specified certificate > with some coding. On the other hand, we could point the > SOUP_SESSION_SSL_CA_FILE to the system bundled certificates if that's > available.
So roughly speaking this seems to give 3 options: 1. Solaris adds some code to set SOUP_SESSION_SSL_CA_FILE based on an environment variable or system default if they exist by default, else either /dev/null (no HTTPS) or the default (no checking). 2. Solaris ships with SOUP_SESSION_SSL_CA_FILE set to /dev/null (HTTPS disabled) but with documentation saying that users can call g_object_set(..., SOUP_SESSION_SSL_CA_FILE, ...) to define either a valid CA file to enable support with checking or reset to NULL which seems to be claimed to turn checking back off. (Details in the link above). 3. Or a similar option to (2) where WebKit ships unmodified with no checking, but the documentation states in a clear WARNING section that https accesses include no checking unless the user sets SOUP_SESSION_SSL_CA_FILE to a valid file (or /dev/null). Personally, #2 may be the best option especially if this can be made to default to a system-supplied CA file if shipped. Since option (1) may give the same effect but with more coding and more Solaris-only options such as environment variables. However this assumes that there's not a large bunch of existing WebKit clients that people want to download and "./configure; make; make install" without adding these calls to the code. Really, any of these options seem workable, but it seems there should at least be a warning in the docs if connections are silently accepted without any checking. > Personally I'd propose to disable the HTTPS support for now and push the > integration of certificates to OpenSolaris. When it's ready, we can > enable the HTTPS support. I would at least document how people can enable support, if this indeed works. Hugh.
