I think we need to make a distinction between developers and end users here. IMHO it were best if the end user were presented with a choice about whether to trust the self-signed, unverified or invalid certificates, and perhaps also provide means to trust the presented certificate permanently.
PS: I haven't tested it, but adding the self-signed certificates to the root CA store might be a valid workaround for development purposes. On 26.06.2017 12:15, Peter Von Kaehne wrote: > Fair point, but a change from one to the other may be preferable for > philosophical reasons, but practically I - and others - need to be able as > users to make a determination what we want to accept and what not, instead of > being forced into one direction. And, as tool writer and user (not frontend > writer) I need to be able to override such things mechanically, i.e. without > further user interaction. > >> Gesendet: Montag, 26. Juni 2017 um 10:04 Uhr >> Von: "Jaak Ristioja" <j...@ristioja.ee> >> An: sword-devel@crosswire.org >> Betreff: Re: [sword-devel] SWORD 1.8.0RC3 >> >> Overriding this setting was never possible with Sword in the first place. >> >> On 26.06.2017 11:05, ref...@gmx.net wrote: >>> As a user I would want to be able to override this, does this patch make >>> this impossible? >>> >>> Sent from my mobile. Please forgive shortness, typos and weird autocorrects. >>> >>> >>> -------- Original Message -------- >>> Subject: Re: [sword-devel] SWORD 1.8.0RC3 >>> From: Jaak Ristioja >>> To: sword-devel@crosswire.org >>> CC: >>> >>> >>> Sure! Verifying TLS certificates is explicitly disabled the file >>> >>> src/mgr/curlhttpt.cpp >>> >>> by the lines: >>> >>> /* Disable checking host certificate */ >>> curl_easy_setopt(session, CURLOPT_SSL_VERIFYPEER, false); >>> >>> I've attached a patch for Sword SVN trunk which removed these lines. For >>> the Sword++ commit, see >>> >>> https://github.com/swordxx/swordxx/commit/49de93ca35f61601376fab0ac8689f48a76dd4d6 >>> >>> J >>> >>> >>> On 26.06.2017 04:10, Greg Hellings wrote: >>> > Jaak, >>> > >>> > Can you provide a version of that patch for 1.7 (and 1.8, if there >>> is a >>> > difference)? Or point me to where it lives? I will definitely wrap >>> that >>> > into the packaging for Fedora and SuSE as it is absolutely >>> inappropriate >>> > to have SSL checking skipped at the library level without it being a >>> > very explicit step for users. >>> > >>> > If Troy won't fix this glaring security hole, it can at least be fixed >>> > by the packagers. I would encourage any Debian and/or Ubuntu users to >>> > file bugs against Sword packaging in their environments (if their >>> > maintainer isn't here) and the same for any other distribution users. >>> > >>> > --Greg >>> > >>> > On Sun, Jun 25, 2017 at 6:56 PM, Jaak Ristioja > > wrote: >>> > >>> > Regarding TLS, I think the choice of whether to trust a self-signed >>> > certificate should explicitly be left to the user at run-time (e.g >>> like >>> > browsers do), rather than blindly accepting any (even expired?) >>> > certificates. >>> > >>> > Regarding the other fix, frontends can (and already do) handle >>> threading >>> > by themselves, but afaik even for a single-threaded process the >>> > callbacks accepted by Sword have no direct means to terminate the >>> > installation process (e.g. by return value, or via a another callback >>> > provided to the callback). So it seems that you're either saying that >>> > >>> > 1) Sword users have no means to terminate potentially long-running >>> > processes (and there's no plan to add such means), or >>> > 2) RemoteTransport::terminate() should never be called separately, but >>> > exclusively only from inside callbacks invoked by Sword. >>> > >>> > In the latter case, this should be made clear in the documentation. >>> > >>> > Blessings, >>> > J >>> > >>> > On 25.06.2017 21 :53, Troy A. Griffitts wrote: >>> > > We have included some of your patches in the past (thank you >>> > again), but >>> > > not these. The first is intentional. We want to work with self >>> signed >>> > > certs if necessary. Non of our content is private, only the fact >>> > that a >>> > > user might access our server and for this, we ask all our >>> frontends to >>> > > warn against this for persecuted countries. The second goes >>> > against our >>> > > policy in the library that all threading should be handled by the >>> > > client, not the library. The client should instantiate an >>> > InstallMgr in >>> > > its own thread and register threads are callbacks, if they wish to >>> > > install in the background. If we start trying to handle threading >>> > in the >>> > > library itself, it is a huge switch from current policy and >>> depends on >>> > > support for threading in all our compilers. Easy enough to just >>> > > instantiate separate SWMgr instances per thread. But thank you for >>> > offering. >>> > > Troy >>> > > >>> > > On June 25, 2017 8:33:53 PM GMT+02:00, Jaak Ristioja >>> > > >>> > > wrote: >>> > > >>> > > Hi Troy! >>> > > >>> > > It seems that no fixes from Sword++ were considered for >>> > inclusion in SVN >>> > > trunk, not even the two I explicitly proposed on this list in >>> > response >>> > > to the RC2 announcement: one fixing hangs in front ends and >>> > the other >>> > > fixing a pure security negligence which rendered SSL/TLS >>> > susceptible to >>> > > MitM attacks. >>> > > >>> > > ?!?! >>> > > >>> > > J >>> > > >>> > > On 25.06.2017 18 :51, Troy A. Griffitts >>> > wrote: >>> > > >>> > > Again, thank you to all the testers and reporters of problems >>> > > for the >>> > > previous RC and those who contributed fixes. Hopefully, this >>> > > will stand >>> > > any scrutiny and become 1.8.0. Please let me know if you have >>> > > any feedback. >>> > > >>> > > >>> > http://crosswire.org/sword/alpha/alpha/sword-1.7.903.tar.gz >>> > >>> > > >>> > > >>> > > Included since last RC: >>> > > >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > r3482 | scribe | 2017-06-25 07:36:23 -0700 (Sun, 25 Jun 2017) | >>> > > 2 lines >>> > > >>> > > Reworked strongs and lemma filters to better support any combo >>> > > of toggle >>> > > Added osisxhtml lemma type= support for other than Greek, Hebrew >>> > > strongs >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > r3481 | scribe | 2017-06-25 04:45:04 -0700 (Sun, 25 Jun 2017) | >>> > > 3 lines >>> > > >>> > > moved examples/simple.cpp to examples/tasks/simpleverselookup.cpp >>> > > >>> > > also updated CMakeList.txt to build new examples >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > r3480 | scribe | 2017-06-25 04:44:29 -0700 (Sun, 25 Jun 2017) | >>> > > 1 line >>> > > >>> > > added listbiblebooknames example >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > r3479 | scribe | 2017-06-25 04:44:01 -0700 (Sun, 25 Jun 2017) | >>> > > 1 line >>> > > >>> > > added flatapi installmgr example >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > r3478 | refdoc | 2017-06-10 15:28:11 -0700 (Sat, 10 Jun 2017) | >>> > > 2 lines >>> > > >>> > > added Belarussian locale file >>> > > >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > r3477 | domcox | 2017-06-04 11:18:34 -0700 (Sun, 04 Jun 2017) | >>> > > 1 line >>> > > >>> > > French translation update (Contrib. from Cyrille) >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > >>> > > >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > sword-devel mailing list: sword-devel@crosswire.org >>> > > http://www.crosswire.org/mailman/listinfo/sword-devel >>> > >>> > > Instructions to unsubscribe/change your settings at above page >>> > > >>> > > >>> > > >>> > > >>> > >>> ------------------------------------------------------------------------ >>> > > >>> > > sword-devel mailing list: sword-devel@crosswire.org >>> > > http://www.crosswire.org/mailman/listinfo/sword-devel >>> > >>> > > Instructions to unsubscribe/change your settings at above page >>> > > >>> > > >>> > > -- >>> > > Sent from my Android device with K-9 Mail. Please excuse my brevity. >>> > > >>> > > >>> > > _______________________________________________ >>> > > sword-devel mailing list: sword-devel@crosswire.org >>> > > http://www.crosswire.org/mailman/listinfo/sword-devel >>> > >>> > > Instructions to unsubscribe/change your settings at above page >>> > > >>> > >>> > >>> > _______________________________________________ >>> > sword-devel mailing list: sword-devel@crosswire.org >>> > >>> > http://www.crosswire.org/mailman/listinfo/sword-devel >>> > >>> > Instructions to unsubscribe/change your settings at above page >>> > >>> > >>> > >>> > >>> > _______________________________________________ >>> > sword-devel mailing list: sword-devel@crosswire.org >>> > http://www.crosswire.org/mailman/listinfo/sword-devel >>> > Instructions to unsubscribe/change your settings at above page >>> > >>> >>> >>> _______________________________________________ >>> sword-devel mailing list: sword-devel@crosswire.org >>> http://www.crosswire.org/mailman/listinfo/sword-devel >>> Instructions to unsubscribe/change your settings at above page >>> >>> >>> >>> _______________________________________________ >>> sword-devel mailing list: sword-devel@crosswire.org >>> http://www.crosswire.org/mailman/listinfo/sword-devel >>> Instructions to unsubscribe/change your settings at above page >>> >> >> >> _______________________________________________ >> sword-devel mailing list: sword-devel@crosswire.org >> http://www.crosswire.org/mailman/listinfo/sword-devel >> Instructions to unsubscribe/change your settings at above page >> > > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page > _______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page