[squeak-dev] The Inbox: WebClient-Core-fn.105.mcz
Fabio Niephaus
lists at fniephaus.com
Thu Apr 27 17:32:52 UTC 2017
Hi Levente,
just to explain the change on a meta level: I don't like it either, and
it's definitely not the solution to the problem. But, for the time being,
it's probably better to be able to access web resources than getting a
debugger. On the other hand, it's already as bad for macOS users ;)
Anyhow, I agree that we need to work on a better solution and it's
unfortunate, you didn't integrate your implementation. I'm afraid I don't
have enough time at the moment, but will look into this again at some point
if no one else is quicker...
Fabio
--
On Thu, Apr 27, 2017 at 7:15 PM Levente Uzonyi <leves at caesar.elte.hu> wrote:
> 2 years ago I implented a solution for this problem on Linux (actually
> platforms using OpenSSL), which integrated well with the way SqueakSSL
> worked (and still works)[1].
> There was a plan for a better fix, but as it turned out, that was a
> mistake not to push the changes, because the new plan would require way
> too large effort to be done.
> IMHO, disabling verification is clearly not the solution.
>
> Levente
>
> [1] http://forum.world.st/SqueakSSL-SAN-certificates-td4828767.html
>
> On Thu, 27 Apr 2017, commits at source.squeak.org wrote:
>
> > A new version of WebClient-Core was added to project The Inbox:
> > http://source.squeak.org/inbox/WebClient-Core-fn.105.mcz
> >
> > ==================== Summary ====================
> >
> > Name: WebClient-Core-fn.105
> > Author: fn
> > Time: 27 April 2017, 6:32:47.94973 pm
> > UUID: 9d163339-62e5-4248-b3c4-773616160ea0
> > Ancestors: WebClient-Core-jr.104
> >
> > Disable certificate validation on all platforms for the time being. It
> turns out, this does not only probably work on macOS, but also on Windows
> and Linux. The WebClient seems to have problems with some certificates used
> for popular domains, e.g. google.com and github.com. The Zinc library
> does not perform the validation as well at the moment.
> >
> > =============== Diff against WebClient-Core-jr.104 ===============
> >
> > Item was changed:
> > ----- Method: WebClient>>sslConnect (in category 'initialize') -----
> > sslConnect
> > "Do the SSL handshake"
> > "Connect the client to a web server"
> >
> > | sqSSL |
> > proxyServer ifNotNil:[ | resp |
> > "If we have a proxy server, do the proxy connect"
> > resp := self proxyConnect.
> > resp isSuccess ifFalse:[^resp].
> > ].
> >
> > sqSSL := Smalltalk at: #SqueakSSL ifAbsent:[self error: 'SqueakSSL
> is missing'].
> > "Convert the stream to a secure stream"
> > stream := sqSSL secureSocketStream on: stream socket.
> > stream timeout: timeout.
> > self sslConnect: stream to: lastServer.
> > +
> > + "Normally, we would verify the cert now, but this does not work
> properly"
> > + "stream verifyCert: self serverName."
> > +
> > - "And cert verification
> > - (unless on OSX, where this does not work yet)"
> > - WebUtils platformName = 'Mac OS'
> > - ifFalse: [stream verifyCert: self serverName].
> > ^ nil"indicating success"
> > !
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20170427/61bd3b93/attachment.html>
More information about the Squeak-dev
mailing list
|