[Bug 63810] idle basically doesn't validate SSL/TLS certificates

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=63810

Simon McVittie <simon.mcvittie at collabora.co.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #8 from Simon McVittie <simon.mcvittie at collabora.co.uk> ---
Fixed in 0.1.15.

The minimal patch for distributors of Idle 0.1.11-0.1.14 is something more like
this:

diff --git a/src/idle-server-connection.c b/src/idle-server-connection.c
index 5b8629c..8c8eeff 100644
--- a/src/idle-server-connection.c
+++ b/src/idle-server-connection.c
@@ -469,9 +469,4 @@ IdleServerConnectionState
idle_server_connection_get_state(IdleServerConnection
 void idle_server_connection_set_tls(IdleServerConnection *conn, gboolean tls)
{
     IdleServerConnectionPrivate *priv =
IDLE_SERVER_CONNECTION_GET_PRIVATE(conn);
     g_socket_client_set_tls(priv->socket_client, tls);
-    g_socket_client_set_tls_validation_flags(priv->socket_client,
-        G_TLS_CERTIFICATE_VALIDATE_ALL
-        & ~G_TLS_CERTIFICATE_UNKNOWN_CA
-        & ~G_TLS_CERTIFICATE_BAD_IDENTITY
-        & ~G_TLS_CERTIFICATE_EXPIRED);
 }

(which breaks the regression tests, but is minimal). That's what I plan to do
for Debian 7.

I don't plan to implement certificate verification for 0.1.10 or older. If a
distributor wants to do so, they're welcome to share patches via this bug.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.