Hi Levente,

just to explain the change on a meta level: I don't like it either, and
it's definitely not the solution to the problem. But, for the time being,
it's probably better to be able to access web resources than getting a
debugger. On the other hand, it's already as bad for macOS users ;)
Anyhow, I agree that we need to work on a better solution and it's
unfortunate, you didn't integrate your implementation. I'm afraid I don't
have enough time at the moment, but will look into this again at some point
if no one else is quicker...

Fabio

-- 

On Thu, Apr 27, 2017 at 7:15 PM Levente Uzonyi <leves at caesar.elte.hu> wrote:

> 2 years ago I implented a solution for this problem on Linux (actually
> platforms using OpenSSL), which integrated well with the way SqueakSSL
> worked (and still works)[1].
> There was a plan for a better fix, but as it turned out, that was a
> mistake not to push the changes, because the new plan would require way
> too large effort to be done.
> IMHO, disabling verification is clearly not the solution.
>
> Levente
>
> [1] http://forum.world.st/SqueakSSL-SAN-certificates-td4828767.html
>
> On Thu, 27 Apr 2017, commits at source.squeak.org wrote:
>
> > A new version of WebClient-Core was added to project The Inbox:
> > http://source.squeak.org/inbox/WebClient-Core-fn.105.mcz
> >
> > ==================== Summary ====================
> >
> > Name: WebClient-Core-fn.105
> > Author: fn
> > Time: 27 April 2017, 6:32:47.94973 pm
> > UUID: 9d163339-62e5-4248-b3c4-773616160ea0
> > Ancestors: WebClient-Core-jr.104
> >
> > Disable certificate validation on all platforms for the time being. It
> turns out, this does not only probably work on macOS, but also on Windows
> and Linux. The WebClient seems to have problems with some certificates used
> for popular domains, e.g. google.com and github.com. The Zinc library
> does not perform the validation as well at the moment.
> >
> > =============== Diff against WebClient-Core-jr.104 ===============
> >
> > Item was changed:
> >  ----- Method: WebClient>>sslConnect (in category 'initialize') -----
> >  sslConnect
> >       "Do the SSL handshake"
> >       "Connect the client to a web server"
> >
> >       | sqSSL |
> >       proxyServer ifNotNil:[ | resp |
> >               "If we have a proxy server, do the proxy connect"
> >               resp := self proxyConnect.
> >               resp isSuccess ifFalse:[^resp].
> >       ].
> >
> >       sqSSL := Smalltalk at: #SqueakSSL ifAbsent:[self error: 'SqueakSSL
> is missing'].
> >       "Convert the stream to a secure stream"
> >       stream := sqSSL secureSocketStream on: stream socket.
> >       stream timeout: timeout.
> >       self sslConnect: stream to: lastServer.
> > +
> > +     "Normally, we would verify the cert now, but this does not work
> properly"
> > +     "stream verifyCert: self serverName."
> > +
> > -     "And cert verification
> > -     (unless on OSX, where this does not work yet)"
> > -     WebUtils platformName = 'Mac OS'
> > -             ifFalse: [stream verifyCert: self serverName].
> >       ^ nil"indicating success"
> >  !
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20170427/61bd3b93/attachment.html>