1286034 – glib-networking reimplements certificate verification and it shouldn't

Bug 1286034 - glib-networking reimplements certificate verification and it shouldn't

Summary: glib-networking reimplements certificate verification and it shouldn't

Keywords:
Status:	CLOSED DUPLICATE of bug 1250175
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glib-networking
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthias Clasen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1246492 1284655 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-27 10:02 UTC by Nikos Mavrogiannopoulos
Modified:	2016-02-29 23:08 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-02-29 23:08:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	753260	0	None	None	None	2019-07-25 10:58:11 UTC

Description Nikos Mavrogiannopoulos 2015-11-27 10:02:16 UTC

Description of problem:
glib-networking re-implements certificate verification instead of use the crypto library's certificate verification. There were reasons for this reimplementation but in the long run we get more issues from that than benefits (see duplicates of this bug). There is no much point in enhancing the glib's verification code as it would be duplicating existing code and most likely it will remain unmaintained code which will not follow new approaches in cert verification or CA/B requirements (e.g., name constraints, usage of trust module etc).

For that we should convert that code to use the crypto library's (gnutls) verification code, and open RFEs for any features that may be missing.

Comment 1 Nikos Mavrogiannopoulos 2015-11-27 10:02:45 UTC

*** Bug 1284655 has been marked as a duplicate of this bug. ***

Comment 2 Nikos Mavrogiannopoulos 2015-11-27 10:03:35 UTC

*** Bug 1246492 has been marked as a duplicate of this bug. ***

Comment 3 Alicja Kario 2015-11-27 11:27:18 UTC

Using custom code also means that this certificate validation code is completely missed when cryptographic libraries are tested and audited.

Comment 4 Jan Kurik 2016-02-24 14:03:11 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 5 David King 2016-02-29 23:08:17 UTC


*** This bug has been marked as a duplicate of bug 1250175 ***

Note You need to log in before you can comment on or make changes to this bug.