Bug 1286034

Summary: glib-networking reimplements certificate verification and it shouldn't
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: glib-networkingAssignee: Matthias Clasen <mclasen>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: amigadave, danw, dwmw2, hkario, kdudka, kengert, mclasen, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-29 23:08:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikos Mavrogiannopoulos 2015-11-27 10:02:16 UTC 
Description of problem:
glib-networking re-implements certificate verification instead of use the crypto library's certificate verification. There were reasons for this reimplementation but in the long run we get more issues from that than benefits (see duplicates of this bug). There is no much point in enhancing the glib's verification code as it would be duplicating existing code and most likely it will remain unmaintained code which will not follow new approaches in cert verification or CA/B requirements (e.g., name constraints, usage of trust module etc).

For that we should convert that code to use the crypto library's (gnutls) verification code, and open RFEs for any features that may be missing.
Comment 1 Nikos Mavrogiannopoulos 2015-11-27 10:02:45 UTC 
*** Bug 1284655 has been marked as a duplicate of this bug. ***
Comment 2 Nikos Mavrogiannopoulos 2015-11-27 10:03:35 UTC 
*** Bug 1246492 has been marked as a duplicate of this bug. ***
Comment 3 Hubert Kario 2015-11-27 11:27:18 UTC 
Using custom code also means that this certificate validation code is completely missed when cryptographic libraries are tested and audited.
Comment 4 Jan Kurik 2016-02-24 14:03:11 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 5 David King 2016-02-29 23:08:17 UTC 

*** This bug has been marked as a duplicate of bug 1250175 ***