On Wed, 2018-01-17 at 09:19 +0100, Tino Mettler wrote: > On Sun, Jan 14, 2018 at 21:37:36 +0100, Tino Mettler wrote: > > [...] > > > From my point of view, people using HTTPS this way (both set to 0) > > should just fix their setup, but I don't know if someone really is > > required to use such SSL settings. The description in the sample > > config reads as if "SSLVerifyHost" is disabled when setting > > "SSLVerifyServer" to 0. > > Hi Patrick, > > are you aware of possible setups that might require both config > variables set to 0?
Only for testing, for example a server that runs with a self-signed certificate that was created for a different domain than the one currently used by the server. It's probably worthwhile to enable this again. I still need to look into it when I have the time. I'm not sure how it worked before: SoupTransportAgent::send() only sets the CA cert file when SSL checking is enabled (= either of the two options on). It doesn't (and never has) disabled SSL checking, so if that now happens to be enabled by default, then that's the problem. Yes, that's it: https://developer.gnome.org/libsoup/stable/libsoup-sess ion-porting.html mentions that the default has changed. So this might work: // use CA certificates if available and needed, // otherwise let soup use system default certificates if (m_verifySSL) { if (!m_cacerts.empty()) { g_object_set(m_session.get(), SOUP_SESSION_SSL_CA_FILE, m_cacerts.c_str(), NULL); } } else { // Checking enabled by default, disable it. g_object_set(m_session.get(), SOUP_SESSION_SSL_STRICT, false, NULL); } -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. _______________________________________________ SyncEvolution mailing list [email protected] https://lists.syncevolution.org/mailman/listinfo/syncevolution
