personas: Added a TODO FIXME wrt. ssl negotiation.

Change-Id: I5f5889b6e63e8e6763abc39690adb78d48929783

personas: Added a TODO FIXME wrt. ssl negotiation.
Change-Id: I5f5889b6e63e8e6763abc39690adb78d48929783
a6fc653b · Jan Holesovsky · f4003ccb · a6fc653b
Kaydet (Commit) a6fc653b authored Agu 14, 2014 tarafından Jan Holesovsky
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 0 deletions

personalization.cxx cui/source/options/personalization.cxx +31 -0

No files found.
--- a/cui/source/options/personalization.cxx
+++ b/cui/source/options/personalization.cxx
@@ -123,6 +123,37 @@ IMPL_LINK( SelectPersonaDialog, SearchPersonas, PushButton*, pButton )
    if( searchTerm.isEmpty( ) )
        return 0;

+    // TODO FIXME!
+    // Before the release, the allizom.org url shoud be changed to:
+    // OUString rSearchURL = "https://services.addons.mozilla.org/en-US/firefox/api/1.5/search/" + searchTerm + "/9/9";
+    // The problem why it cannot be done just now is that the SSL negotiation
+    // with services.addons.mozilla.org fails very early - during an early
+    // propfind, SSL returns X509_V_ERR_CERT_UNTRUSTED to neon, causing the
+    // NE_SSL_UNTRUSTED being set in verify_callback in neon/src/ne_openssl.c
+    //
+    // This is not cleared anywhere during the init, and so later, even though
+    // we have found the certificate, this triggers
+    // NeonSession_CertificationNotify callback, that
+    // causes that NE_SSL_UNTRUSTED is igored in cases when the condition
+    //   if ( pSession->isDomainMatch(
+    //      GetHostnamePart( xEECert.get()->getSubjectName() ) ) )
+    // is true; but that is only when getSubjectName() actually returns a
+    // wildcard, or the exact name.
+    //
+    // In the case of services.addons.mozilla.com, the certificate is for
+    // versioncheck.addons.mozilla.com, but it also has
+    //   X509v3 Subject Alternative Name:
+    //       DNS:services.addons.mozilla.org, DNS:versioncheck-bg.addons.mozilla.org, DNS:pyrepo.addons.mozilla.org, DNS:versioncheck.addons.mozilla.org
+    // So it is all valid; but the early X509_V_ERR_CERT_UNTRUSTED failure
+    // described above just makes this being ignored.
+    //
+    // My suspicion is that this never actually worked, and the
+    //   if ( pSession->isDomainMatch(
+    //      GetHostnamePart( xEECert.get()->getSubjectName() ) ) )
+    // works around the root cause that is there for years, and which makes it
+    // work in most cases.  I guess that we initialize something wrongly or
+    // too late; but I have already spent few hours debugging, and
+    // give up for the moment - need to return to this at some stage.
    OUString rSearchURL = "https://addons.allizom.org/en-US/firefox/api/1.5/search/" + searchTerm + "/9/9";
    m_rSearchThread = new SearchAndParseThread( this, rSearchURL );
    m_rSearchThread->launch();