Hi, On Friday 06 August 2010 Dan Winship wrote: > On 08/06/2010 06:17 AM, Christian Hilberg wrote: > [...] > > On a second thought: Should libsoup even bother about client side SSL > > certificates? To me, it seems more like a thing to be handled by the SSL > > layer itself (i.e. the GnuTLS lib). Having to care for SSL certificates > > within libsoup looks like a layer breach to me, but my knowledge about > > the details in this case is limited. > > Something needs to tell gnutls that you want it to use the certificate. > If the user has more than one certificate, something needs to ask the > user which one to use. > > It's not really that libsoup needs to be involved so much as the > application needs to be involved, and libsoup sits between the > application and gnutls, and so needs to be part of the conversation. How hard would it be to add some basic support for this to libsoup? If libsoup can't support client certs, then we would have to resort to another HTML lib. This is something I'd like to avoid. What's more, we have tight time constraints for our project, which means that we need a quick solution to the issue. If we could hack(*) something into libsoup which would allow us to use a single cert for now, this would also help us much. The GSocket stuff sounds interesting, but alas, we cannot wait until this has settled, and support for client certificates is a must for us. If we can provide some basic support (e.g. only handle one single cert), then we would possibly be able to convice our customer that general cert support will be available shortly after the GSocket changes have materialized. Best regards, Christian (*) Well, yes, "hacking something into libsoup" sounds like a bad idea especially when it comes to security issues... just, I don't really have any better one right now... -- kernel concepts GbR Tel: +49-271-771091-14 Sieghuetter Hauptweg 48 Fax: +49-271-771091-19 D-57072 Siegen http://www.kernelconcepts.de/
Attachment:
signature.asc
Description: This is a digitally signed message part.