aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGustavo Noronha Silva <gns@gnome.org>2010-02-19 00:30:49 +0800
committerGustavo Noronha Silva <gns@gnome.org>2010-02-23 02:57:11 +0800
commit3e0f7dea754381c5ad11a06ccc62eb153382b498 (patch)
tree35942df25ac30024cf38d1e5c73961db128f40d9
parenta5858387b3bba793a65d8bd262e122604529045f (diff)
downloadgsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.tar
gsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.tar.gz
gsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.tar.bz2
gsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.tar.lz
gsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.tar.xz
gsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.tar.zst
gsoc2013-epiphany-3e0f7dea754381c5ad11a06ccc62eb153382b498.zip
Report broken certs through the padlock icon
This uses a new feature in libsoup that reports through a SoupMessageFlag whether the message is talking to a server that has a trusted server. Bug #600663
-rw-r--r--configure.ac36
-rw-r--r--embed/ephy-embed-single.c15
-rw-r--r--embed/ephy-embed.c29
3 files changed, 71 insertions, 9 deletions
diff --git a/configure.ac b/configure.ac
index c177e76f1..37b98d7fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -247,6 +247,39 @@ fi
AM_CONDITIONAL([ENABLE_SEED],[test "$enable_seed" = "yes"])
+# *********************
+# CA Certificate file
+# Stolen from GIO's TLS
+# *********************
+
+AC_MSG_CHECKING([location of system Certificate Authority list])
+AC_ARG_WITH(ca-file,
+ [AC_HELP_STRING([--with-ca-file=@<:@path@:>@],
+ [path to system Certificate Authority list])])
+if test "$with_ca_file" = "no"; then
+ AC_MSG_RESULT([disabled])
+else
+ if test -z "$with_ca_file"; then
+ for f in /etc/pki/tls/certs/ca-bundle.crt \
+ /etc/ssl/certs/ca-certificates.crt; do
+ if test -f "$f"; then
+ with_ca_file="$f"
+ fi
+ done
+ if test -z "$with_ca_file"; then
+ AC_MSG_ERROR([could not find. Use --with-ca-file=path to set, or --without-ca-file to disable])
+ fi
+ fi
+
+ AC_MSG_RESULT($with_ca_file)
+ if ! test -f "$with_ca_file"; then
+ AC_MSG_ERROR([No such file '$with_ca_file'. Use --with-ca-file=path to set, or --without-ca-file to disable])
+ fi
+ GTLS_SYSTEM_CA_FILE="$with_ca_file"
+
+ AC_DEFINE_UNQUOTED([GTLS_SYSTEM_CA_FILE], ["$GTLS_SYSTEM_CA_FILE"], [path to system Certificate Authority list])
+fi
+
# ***
# NSS
# ***
@@ -456,5 +489,6 @@ Epiphany was configured with the following options:
GObject introspection : $found_introspection
Seed support : $enable_seed
NSS support : $enable_nss
- Build tests : $enable_tests
+ Build tests : $enable_tests
+ CA Certificates file : $GTLS_SYSTEM_CA_FILE
"
diff --git a/embed/ephy-embed-single.c b/embed/ephy-embed-single.c
index 44efecaed..8c05532df 100644
--- a/embed/ephy-embed-single.c
+++ b/embed/ephy-embed-single.c
@@ -39,6 +39,7 @@
#endif
#include <webkit/webkit.h>
+#include <glib/gi18n.h>
#include <libsoup/soup-gnome.h>
#include <gnome-keyring.h>
@@ -481,6 +482,20 @@ ephy_embed_single_initialize (EphyEmbedSingle *single)
session = webkit_get_default_session ();
+#ifdef GTLS_SYSTEM_CA_FILE
+ /* Check SSL certificates */
+
+ if (g_file_test (GTLS_SYSTEM_CA_FILE, G_FILE_TEST_EXISTS)) {
+ g_object_set (session,
+ SOUP_SESSION_SSL_CA_FILE, GTLS_SYSTEM_CA_FILE,
+ "ignore-ssl-cert-errors", TRUE,
+ NULL);
+ } else {
+ g_warning (_("CA Certificates file we should use was not found, "\
+ "all SSL sites will be considered to have a broken certificate."));
+ }
+#endif
+
/* Store cookies in moz-compatible SQLite format */
filename = g_build_filename (ephy_dot_dir (), "cookies.sqlite", NULL);
jar = soup_cookie_jar_sqlite_new (filename, FALSE);
diff --git a/embed/ephy-embed.c b/embed/ephy-embed.c
index 7d2af54d2..acc4e94f5 100644
--- a/embed/ephy-embed.c
+++ b/embed/ephy-embed.c
@@ -220,15 +220,28 @@ load_status_changed_cb (WebKitWebView *view,
FALSE,
FALSE);
- /*
- * FIXME: as a temporary workaround while soup lacks the needed
- * security API, determine security level based on the existence of
- * a 'https' prefix for the URI
- */
- if (uri && g_str_has_prefix (uri, "https"))
- security_level = EPHY_WEB_VIEW_STATE_IS_SECURE_HIGH;
- else
+#ifdef GTLS_SYSTEM_CA_FILE
+ if (uri && g_str_has_prefix (uri, "https")) {
+ WebKitWebFrame *frame;
+ WebKitWebDataSource *source;
+ WebKitNetworkRequest *request;
+ SoupMessage *message;
+
+ frame = webkit_web_view_get_main_frame (view);
+ source = webkit_web_frame_get_data_source (frame);
+ request = webkit_web_data_source_get_request (source);
+ message = webkit_network_request_get_message (request);
+
+ if (message &&
+ (soup_message_get_flags (message) & SOUP_MESSAGE_CERTIFICATE_TRUSTED))
+ security_level = EPHY_WEB_VIEW_STATE_IS_SECURE_HIGH;
+ else
+ security_level = EPHY_WEB_VIEW_STATE_IS_BROKEN;
+ } else
security_level = EPHY_WEB_VIEW_STATE_IS_UNKNOWN;
+#else
+ security_level = EPHY_WEB_VIEW_STATE_IS_UNKNOWN;
+#endif
ephy_web_view_set_security_level (EPHY_WEB_VIEW (view), security_level);
} else if (status == WEBKIT_LOAD_PROVISIONAL || status == WEBKIT_LOAD_FINISHED) {