Skip to content

Enable ssl-use-system-ca-file on deprecated Sync and Async sessions

Patrick Griffis requested to merge pgriffis/system-ca-default into gnome-3-38

The default was disabled for backwards compatability however it was an unsafe default and many projects unknowingly did not enable it.

This is a break in behavior however the security concerns are important. The belief that all projects would switch to the safer SoupSession didn't happen and the number of under-maintained projects is too many to fix quickly.

This brings a base level of security to all of them and will likely not actually break much as the modern internet depends on CAs heavily.

For projects that hit this regression the correct fixes might be:

  • Use a cert signed by a common CA
  • Install a custom CA that your cert used
  • In libsoup set SoupSession*:tls-database to your private database

Simply disabling this property is likely the wrong solution as nothing is validated in that case.

Merge request reports