<div dir="ltr">Hi Levente,<div><br></div><div>just to explain the change on a meta level: I don't like it either, and it's definitely not the solution to the problem. But, for the time being, it's probably better to be able to access web resources than getting a debugger. On the other hand, it's already as bad for macOS users ;)</div><div>Anyhow, I agree that we need to work on a better solution and it's unfortunate, you didn't integrate your implementation. I'm afraid I don't have enough time at the moment, but will look into this again at some point if no one else is quicker...</div><div><br></div><div>Fabio</div><div><br><div class="GmSign">-- <br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 27, 2017 at 7:15 PM Levente Uzonyi <<a href="mailto:leves@caesar.elte.hu">leves@caesar.elte.hu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">2 years ago I implented a solution for this problem on Linux (actually<br>
platforms using OpenSSL), which integrated well with the way SqueakSSL<br>
worked (and still works)[1].<br>
There was a plan for a better fix, but as it turned out, that was a<br>
mistake not to push the changes, because the new plan would require way<br>
too large effort to be done.<br>
IMHO, disabling verification is clearly not the solution.<br>
<br>
Levente<br>
<br>
[1] <a href="http://forum.world.st/SqueakSSL-SAN-certificates-td4828767.html" rel="noreferrer" target="_blank">http://forum.world.st/SqueakSSL-SAN-certificates-td4828767.html</a><br>
<br>
On Thu, 27 Apr 2017, <a href="mailto:commits@source.squeak.org" target="_blank">commits@source.squeak.org</a> wrote:<br>
<br>
> A new version of WebClient-Core was added to project The Inbox:<br>
> <a href="http://source.squeak.org/inbox/WebClient-Core-fn.105.mcz" rel="noreferrer" target="_blank">http://source.squeak.org/inbox/WebClient-Core-fn.105.mcz</a><br>
><br>
> ==================== Summary ====================<br>
><br>
> Name: WebClient-Core-fn.105<br>
> Author: fn<br>
> Time: 27 April 2017, 6:32:47.94973 pm<br>
> UUID: 9d163339-62e5-4248-b3c4-773616160ea0<br>
> Ancestors: WebClient-Core-jr.104<br>
><br>
> Disable certificate validation on all platforms for the time being. It turns out, this does not only probably work on macOS, but also on Windows and Linux. The WebClient seems to have problems with some certificates used for popular domains, e.g. <a href="http://google.com" rel="noreferrer" target="_blank">google.com</a> and <a href="http://github.com" rel="noreferrer" target="_blank">github.com</a>. The Zinc library does not perform the validation as well at the moment.<br>
><br>
> =============== Diff against WebClient-Core-jr.104 ===============<br>
><br>
> Item was changed:<br>
> ----- Method: WebClient>>sslConnect (in category 'initialize') -----<br>
> sslConnect<br>
> "Do the SSL handshake"<br>
> "Connect the client to a web server"<br>
><br>
> | sqSSL |<br>
> proxyServer ifNotNil:[ | resp |<br>
> "If we have a proxy server, do the proxy connect"<br>
> resp := self proxyConnect.<br>
> resp isSuccess ifFalse:[^resp].<br>
> ].<br>
><br>
> sqSSL := Smalltalk at: #SqueakSSL ifAbsent:[self error: 'SqueakSSL is missing'].<br>
> "Convert the stream to a secure stream"<br>
> stream := sqSSL secureSocketStream on: stream socket.<br>
> stream timeout: timeout.<br>
> self sslConnect: stream to: lastServer.<br>
> +<br>
> + "Normally, we would verify the cert now, but this does not work properly"<br>
> + "stream verifyCert: self serverName."<br>
> +<br>
> - "And cert verification<br>
> - (unless on OSX, where this does not work yet)"<br>
> - WebUtils platformName = 'Mac OS'<br>
> - ifFalse: [stream verifyCert: self serverName].<br>
> ^ nil"indicating success"<br>
> !<br>
<br>
</blockquote></div></div></div>