[squeak-dev] The Inbox: WebClient-Core-fn.105.mcz

Levente Uzonyi leves at caesar.elte.hu
Thu Apr 27 17:15:16 UTC 2017


2 years ago I implented a solution for this problem on Linux (actually 
platforms using OpenSSL), which integrated well with the way SqueakSSL 
worked (and still works)[1].
There was a plan for a better fix, but as it turned out, that was a 
mistake not to push the changes, because the new plan would require way 
too large effort to be done.
IMHO, disabling verification is clearly not the solution.

Levente

[1] http://forum.world.st/SqueakSSL-SAN-certificates-td4828767.html

On Thu, 27 Apr 2017, commits at source.squeak.org wrote:

> A new version of WebClient-Core was added to project The Inbox:
> http://source.squeak.org/inbox/WebClient-Core-fn.105.mcz
>
> ==================== Summary ====================
>
> Name: WebClient-Core-fn.105
> Author: fn
> Time: 27 April 2017, 6:32:47.94973 pm
> UUID: 9d163339-62e5-4248-b3c4-773616160ea0
> Ancestors: WebClient-Core-jr.104
>
> Disable certificate validation on all platforms for the time being. It turns out, this does not only probably work on macOS, but also on Windows and Linux. The WebClient seems to have problems with some certificates used for popular domains, e.g. google.com and github.com. The Zinc library does not perform the validation as well at the moment.
>
> =============== Diff against WebClient-Core-jr.104 ===============
>
> Item was changed:
>  ----- Method: WebClient>>sslConnect (in category 'initialize') -----
>  sslConnect
>  	"Do the SSL handshake"
>  	"Connect the client to a web server"
>
>  	| sqSSL |
>  	proxyServer ifNotNil:[ | resp |
>  		"If we have a proxy server, do the proxy connect"
>  		resp := self proxyConnect.
>  		resp isSuccess ifFalse:[^resp].
>  	].
>
>  	sqSSL := Smalltalk at: #SqueakSSL ifAbsent:[self error: 'SqueakSSL is missing'].
>  	"Convert the stream to a secure stream"
>  	stream := sqSSL secureSocketStream on: stream socket.
>  	stream timeout: timeout.
>  	self sslConnect: stream to: lastServer.
> + 
> + 	"Normally, we would verify the cert now, but this does not work properly"
> + 	"stream verifyCert: self serverName."
> + 
> - 	"And cert verification
> - 	(unless on OSX, where this does not work yet)"
> - 	WebUtils platformName = 'Mac OS'
> - 		ifFalse: [stream verifyCert: self serverName].
>  	^ nil"indicating success"
>  !


More information about the Squeak-dev mailing list