KIO design problem
George Staikos
staikos at kde.org
Sun Dec 1 19:42:10 GMT 2002
I was investigating the problems with sourceforge and I came upon this
behaviour:
CN for the certificate on https://*.sourceforge.net is set to
"sourceforge.net". Why they did this, I do not know. Anyways, the result is
that whenever the browser tries to do an https session with
*.sourceforge.net, this is what it looks like:
GET / HTTP/1.1
Host: www.sourceforge.net
HTTP/1.1 302 Found
Date: Sun, 01 Dec 2002 19:34:19 GMT
Server: Apache/1.3.27 (Unix) PHP/4.1.2 mod_ssl/2.8.12 OpenSSL/0.9.6b
X-Powered-By: PHP/4.1.2
Location: https://sourceforge.net/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
0
closed
Mozilla immediately changes the URL to http://sourceforge.net. However, we
verify SSL before it gets to the slave, so no protocol information is known.
What do we do here? I don't like the idea of trusting a remote site in SSL
mode before we even verify its credentials, but it seems that other browsers
actually do so (!!). Do we have to have a call-back here so that the slave
can decide to postpone or cancel certificate verification? Any other
suggestions?
--
George Staikos
More information about the kfm-devel
mailing list