bug#34861: TLS Error with Flatpak

["Raghav Gururajan" <rvgn@disroot.org>]

[-- Attachment #1: Type: text/plain, Size: 3018 bytes --]

Hello Ricardo!

Please find the following information.

FROM FLATPAK SOURECODE:

SoupSession *
flatpak_create_soup_session (const char *user_agent)
{
SoupSession *soup_session;
const char *http_proxy;

soup_session = soup_session_new_with_options (SOUP_SESSION_USER_AGENT, user_agent,
SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE, TRUE,
SOUP_SESSION_USE_THREAD_CONTEXT, TRUE,
SOUP_SESSION_TIMEOUT, 60,
SOUP_SESSION_IDLE_TIMEOUT, 60,
NULL);
soup_session_remove_feature_by_type (soup_session, SOUP_TYPE_CONTENT_DECODER);
http_proxy = g_getenv ("http_proxy");
if (http_proxy)
{
g_autoptr(SoupURI) proxy_uri = soup_uri_new (http_proxy);
if (!proxy_uri)
g_warning ("Invalid proxy URI '%s'", http_proxy);
else
g_object_set (soup_session, SOUP_SESSION_PROXY_URI, proxy_uri, NULL);
}

if (g_getenv ("OSTREE_DEBUG_HTTP"))
soup_session_add_feature (soup_session, (SoupSessionFeature *) soup_logger_new (SOUP_LOGGER_LOG_BODY, 500));

return soup_session;
}

FROM LIBSOUP MANUAL:

The “ssl-use-system-ca-file” property

“ssl-use-system-ca-file” gboolean

Setting this to TRUE is equivalent to setting “tls-database” to the default system CA database. (and likewise, setting “tls-database” to the default database by hand will cause this property to become TRUE).

Setting this to FALSE (when it was previously TRUE) will clear the “tls-database” field.

See “ssl-strict” for more information on how https certificate validation is handled.

The “ssl-strict” property

“ssl-strict” gboolean

Normally, if “tls-database” is set (including if it was set via “ssl-use-system-ca-file” or “ssl-ca-file”), then libsoup will reject any certificate that is invalid (ie, expired) or that is not signed by one of the given CA certificates, and the SoupMessage will fail with the status SOUP_STATUS_SSL_FAILED.

If you set “ssl-strict” to FALSE, then all certificates will be accepted, and you will need to call soup_message_get_https_status() to distinguish valid from invalid certificates. (This can be used, eg, if you want to accept invalid certificates after giving some sort of warning.)

For a plain SoupSession, if the session has no CA file or TLS database, and this property is TRUE, then all certificates will be rejected.

--
Regards,
RG.

March 18, 2019 9:24 PM, "Ricardo Wurmus" <rekado@elephly.net (mailto:rekado@elephly.net)> wrote:
 Raghav Gururajan <rvgn@disroot.org (mailto:rvgn@disroot.org)> writes:
 Yes, I did them. Still did not work.

I did the following to set env variables:

$ guix package -i nss-certs
$ export SSL_CERT_DIR="$HOME/.guix-profile/etc/ssl/certs"
$ export SSL_CERT_FILE="$HOME/.guix-profile/etc/ssl/certs/ca-certificates.crt"
$ export GIT_SSL_CAINFO="$SSL_CERT_FILE" 

Flatpak uses libsoup with SOUP_SESSION_SSL_USE_SYSTEM_CA_FILE. libsoup
delegates TLS handling to glib-networking.

Raghav, could you trace flatpak to see what certificate files it is
trying to access?

--
Ricardo

[-- Attachment #2: Type: text/html, Size: 3643 bytes --]