[SyncEvolution] SSL related regression in 1.5.3
Patrick Ohly
patrick.ohly at intel.com
Wed Jan 17 09:51:56 UTC 2018
On Wed, 2018-01-17 at 09:19 +0100, Tino Mettler wrote:
> On Sun, Jan 14, 2018 at 21:37:36 +0100, Tino Mettler wrote:
>
> [...]
>
> > From my point of view, people using HTTPS this way (both set to 0)
> > should just fix their setup, but I don't know if someone really is
> > required to use such SSL settings. The description in the sample
> > config reads as if "SSLVerifyHost" is disabled when setting
> > "SSLVerifyServer" to 0.
>
> Hi Patrick,
>
> are you aware of possible setups that might require both config
> variables set to 0?
Only for testing, for example a server that runs with a self-signed
certificate that was created for a different domain than the one
currently used by the server. It's probably worthwhile to enable this
again.
I still need to look into it when I have the time. I'm not sure how it
worked before: SoupTransportAgent::send() only sets the CA cert file
when SSL checking is enabled (= either of the two options on). It
doesn't (and never has) disabled SSL checking, so if that now happens
to be enabled by default, then that's the problem.
Yes, that's it: https://developer.gnome.org/libsoup/stable/libsoup-sess
ion-porting.html mentions that the default has changed.
So this might work:
// use CA certificates if available and needed,
// otherwise let soup use system default certificates
if (m_verifySSL) {
if (!m_cacerts.empty()) {
g_object_set(m_session.get(), SOUP_SESSION_SSL_CA_FILE,
m_cacerts.c_str(), NULL);
}
} else {
// Checking enabled by default, disable it.
g_object_set(m_session.get(), SOUP_SESSION_SSL_STRICT, false,
NULL);
}
--
Best Regards, Patrick Ohly
The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.
More information about the SyncEvolution
mailing list