Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • L libsoup
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 174
    • Issues 174
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 14
    • Merge requests 14
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • libsoup
  • Merge requests
  • !239

Enable ssl-use-system-ca-file on deprecated Sync and Async sessions

  • Review changes

  • Download
  • Patches
  • Plain diff
Merged Patrick Griffis requested to merge pgriffis/system-ca-default into gnome-3-38 Jun 22, 2021
  • Overview 15
  • Commits 2
  • Pipelines 4
  • Changes 4

The default was disabled for backwards compatability however it was an unsafe default and many projects unknowingly did not enable it.

This is a break in behavior however the security concerns are important. The belief that all projects would switch to the safer SoupSession didn't happen and the number of under-maintained projects is too many to fix quickly.

This brings a base level of security to all of them and will likely not actually break much as the modern internet depends on CAs heavily.

For projects that hit this regression the correct fixes might be:

  • Use a cert signed by a common CA
  • Install a custom CA that your cert used
  • In libsoup set SoupSession*:tls-database to your private database

Simply disabling this property is likely the wrong solution as nothing is validated in that case.

Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: pgriffis/system-ca-default