Enable ssl-use-system-ca-file on deprecated Sync and Async sessions (!239) · Merge requests · GNOME / libsoup

Patrick Griffis requested to merge pgriffis/system-ca-default into gnome-3-38 Jun 22, 2021

The default was disabled for backwards compatability however it was an unsafe default and many projects unknowingly did not enable it.

This is a break in behavior however the security concerns are important. The belief that all projects would switch to the safer SoupSession didn't happen and the number of under-maintained projects is too many to fix quickly.

This brings a base level of security to all of them and will likely not actually break much as the modern internet depends on CAs heavily.

For projects that hit this regression the correct fixes might be:

Use a cert signed by a common CA
Install a custom CA that your cert used
In libsoup set SoupSession*:tls-database to your private database

Simply disabling this property is likely the wrong solution as nothing is validated in that case.

Enable ssl-use-system-ca-file on deprecated Sync and Async sessions

Merge request reports