[Dillo-dev] SSL in the browser

[eocene]

My code for SSL in the browser hasn't been giving me any problems in
recent days, so it would be nice to give it some wider use.

http://www.dillo.org/test/ssl_in_browser.diff


_______________________________________________
Dillo-dev mailing list
Dill...@dillo.org
http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev

[eocene]

I wrote:
> My code for SSL in the browser hasn't been giving me any problems in
> recent days, so it would be nice to give it some wider use.
>
> http://www.dillo.org/test/ssl_in_browser.diff

Found a bug :(
Fixed it :)
New version up.

[eocene]

I wrote:
> http://www.dillo.org/test/ssl_in_browser.diff

Fixed a couple of bugs, added a couple of features, new version up.

[Jorge Arellano Cid]

Hi corvid,

On Mon, Oct 20, 2014 at 11:47:35PM +0000, eocene wrote:
> I wrote:
> > http://www.dillo.org/test/ssl_in_browser.diff
>
> Fixed a couple of bugs, added a couple of features, new version up.

Oh, as our mailsearch doesn't work anymore, is there
and URL to the original thread (Gmane style) or something?

I'd like to remember what the main point of having SSL inside
the browser were. I'm getting old. ;)

--
Cheers
Jorge.-

[eocene]

Jorge wrote:
> Oh, as our mailsearch doesn't work anymore, is there
> and URL to the original thread (Gmane style) or something?
>
> I'd like to remember what the main point of having SSL inside
> the browser were. I'm getting old. ;)

Looking briefly, I couldn't find relevant discussion. Possibly it
was off list. My recollection is that, at the time, it had to do with
seeing how SSL was becoming more and more central to browsing with
things like 'HTTPS Everywhere' and 'HTTP Strict Transport Security'
coming along and the issue of privacy gaining increasing public
awareness.

As for this effort now, I started just by wondering what it would
look like if I integrated Benjamin's code and took out the windows
stuff. It was working pretty well very quickly. And now I like how
much more respectful of servers and resources Dillo can be when
HTTPS is integrated with the http_max_conns queuing and
http_persistent_conns. I think Johannes mentioned something about
Dillo and Tor not working together so well with HTTPS in a dpi,
but I don't know the details there.

[Andreas Kemnade]

Hi,

On Tue, 21 Oct 2014 11:29:06 -0300
Jorge Arellano Cid <jc...@dillo.org> wrote:

> Hi corvid,
>
> On Mon, Oct 20, 2014 at 11:47:35PM +0000, eocene wrote:
> > I wrote:
> > > http://www.dillo.org/test/ssl_in_browser.diff
> >
> > Fixed a couple of bugs, added a couple of features, new version up.
>
> Oh, as our mailsearch doesn't work anymore, is there
> and URL to the original thread (Gmane style) or something?
>
> I'd like to remember what the main point of having SSL inside
> the browser were. I'm getting old. ;)
>

here is a list of subjects which contain https, maybe that helps a bit.

2003-June.txt:Subject: [Dillo-dev] HTTPS support
2003-March.txt:Subject: [Dillo-dev] https approaches?
2003-March.txt:Subject: [Dillo-dev] Re: https approaches?
2003-November.txt:Subject: [Dillo-dev] Re: https dpi
2003-November.txt:Subject: [Dillo-dev] HTTPS Patch
2003-November.txt:Subject: [Dillo-dev] tabs, https, ...
2003-November.txt:Subject: [Dillo-dev] Small bug with combined frames/tabs/https patch and gcc 2.9x
2003-November.txt:Subject: [Dillo-dev] Small bug with combined frames/tabs/https patch
2003-November.txt:Subject: [Dillo-dev] [PATCH] HTTPS version 2.
2003-October.txt:Subject: [Dillo-dev] HTTPS patch
2003-October.txt:Subject: [Dillo-dev] HTTPS Patch
2004-February.txt:Subject: [Dillo-dev] Re: https dpi
2004-January.txt:Subject: [Dillo-dev] Re: https dpi
2004-July.txt:Subject: [Dillo-dev]https
2004-July.txt:Subject: [Dillo-dev]HTTPS
2004-July.txt:Subject: [Dillo-dev]Re: HTTPS
2004-July.txt:Subject: [Dillo-dev]dpip dialog for https (and dpis in general)
2004-July.txt:Subject: [Dillo-dev]https patch
2004-July.txt:Subject: [Dillo-dev]dpip dialog for https (and dpis in general)
2004-July.txt:Subject: [Dillo-dev]More https goodness
2004-July.txt:Subject: [Dillo-dev]Replying to lists (was: dpip dialog for https (and dpis in general))
2004-July.txt:Subject: [Dillo-dev]More https goodness
2004-July.txt:Subject: [Dillo-dev]HTTPS certificate support
2004-July.txt:Subject: [Dillo-dev]HTTPS Cleanup
2004-June.txt:Subject: [Dillo-dev]https (eg for posting to ps2 bulletin boards)
2004-March.txt:Subject: [Dillo-dev]Re: https hungs dillo up...
2004-May.txt:Subject: [Dillo-dev]https (eg for posting to ps2 bulletin boards)
2004-November.txt:Subject: [Dillo-dev]https by lynx -source
2004-September.txt:Subject: [Dillo-dev]https
2005-February.txt:Subject: [Dillo-dev]testing https plugin gave problems
2005-January.txt:Subject: [Dillo-dev]https, ssl & certificates
2005-July.txt:Subject: [Dillo-dev]cookies dpi over https and dpi framework
2005-June.txt:Subject: [Dillo-dev]cookies dpi over https and dpi framework
2007-October.txt:Subject: [Dillo-dev] https and OpenBSD
2008-April.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi dialog
2008-April.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi
2008-April.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi dialog
2008-April.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi
2008-March.txt:Subject: [Dillo-dev] https plugin status
2008-March.txt:Subject: [Dillo-dev] [PATCH]: send the https dpi plugin debug messages to the
2008-March.txt:Subject: [Dillo-dev] https plugin status
2008-March.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi dialog
2008-March.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi
2008-March.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi dialog
2008-March.txt:Subject: [Dillo-dev] https plugin status
2008-March.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have a basic dpi
2008-March.txt:Subject: [Dillo-dev] https plugin status
2008-March.txt:Subject: [Dillo-dev] [PATCH]: Fixing https step 1: Have
a basic dpi dialog
2008-March.txt:Subject: [Dillo-dev] https plugin status
2008-November.txt:Subject: [PATCH] Update the GPL version in the OpenSSL exception clause in dpi/https.c
2008-November.txt:Subject: [Dillo-dev] A warning about HTTPS and proxies
2008-October.txt:Subject: [PATCH] https: Improve the plugin warnings when SSL is disabled.
2008-October.txt:Subject: [Dillo-dev] https error handling
2008-October.txt:Subject: [PATCH] Update the GPL version in the OpenSSL exception clause in dpi/https.c
2009-July.txt:Subject: [Dillo-dev] [patch] check for dpip_tag == NULL in https.c
2009-June.txt:Subject: patch: Re: [Dillo-dev] https through a proxy
2009-May.txt:Subject: [Dillo-dev] https through a proxy
2009-May.txt:Subject: patch: Re: [Dillo-dev] https through a proxy
2010-January.txt:Subject: [Dillo-dev] experimental patch: gnutls for the https dpi
2010-October.txt:Subject: [Dillo-dev] Https remote certificate cannot be verified
2011-December.txt:Subject: [Dillo-dev] IPv6 and HTTPS (Re: release candidate for dillo-3.0.2)
2011-December.txt:Subject: [Dillo-dev] IPv6 and HTTPS (Re: release candidate for
2012-October.txt:Subject: [Dillo-dev] https unpleasantness
2013-February.txt:Subject: [Dillo-dev] https related crash
2013-March.txt:Subject: [Dillo-dev] https related crash

Greetings
Andreas Kemnade

[Johannes Hofmann]

On Tue, Oct 21, 2014 at 04:42:24PM +0000, eocene wrote:
> Jorge wrote:
> > Oh, as our mailsearch doesn't work anymore, is there
> > and URL to the original thread (Gmane style) or something?
> >
> > I'd like to remember what the main point of having SSL inside
> > the browser were. I'm getting old. ;)
>
> Looking briefly, I couldn't find relevant discussion. Possibly it
> was off list. My recollection is that, at the time, it had to do with
> seeing how SSL was becoming more and more central to browsing with
> things like 'HTTPS Everywhere' and 'HTTP Strict Transport Security'
> coming along and the issue of privacy gaining increasing public
> awareness.
>
> As for this effort now, I started just by wondering what it would
> look like if I integrated Benjamin's code and took out the windows
> stuff. It was working pretty well very quickly. And now I like how
> much more respectful of servers and resources Dillo can be when
> HTTPS is integrated with the http_max_conns queuing and
> http_persistent_conns. I think Johannes mentioned something about
> Dillo and Tor not working together so well with HTTPS in a dpi,
> but I don't know the details there.

There is a potential loophole if you start dillo in a torified
environment and dpid is running outside. Then https connections go
via the non-torified https plugin. It's a small detail, but it
happened to me.
I'm mostly interested in getting SSL support from unmaintained
experimental state to properly supported and maintained option.

Cheers,
Johannes

[James C]

I've got gmail going, using the ~/.dillo/certs certificate store. It
took a bit of poking around, so I'm attaching my notes to myself in
case they're useful for someone else.

[eocene]

James wrote:
> I've got gmail going, using the ~/.dillo/certs certificate store. It
> took a bit of poking around, so I'm attaching my notes to myself in
> case they're useful for someone else.

Is the code complaining about every certificate by default, or was gmail
specifically giving you trouble?

[eocene]

James wrote:
> Every certificate that doesn't have something at the root of its chain, as it should. I'm on osx and there is no /etc/ssl/certs, so I had no roots until I started loading them.

Where does OSX keep them?

I'd looked on the web a bit in the past in case there was any simple
consensus out there on the matter of where to check, but didn't find
anything.

I'll see where curl checks. Whatever they do is probably a good idea.

[James C]

Firefox keeps them in a database called cert8.db in
<user>/Library/Application Support/Firefox/Profiles/*/

Safari keeps them in /System/Library/Keychains/SystemCACertificates.keychain

Neither of these formats is legible to OpenSSL.

These comments are about Firefox 32.0.3, and OSX 10.6.8 which is now
obsolete. Later versions may do things differently.

[eocene]

I put up a new version that checks various locations for certificates
and permits a location to be specified during configuration.

It may not make any difference for osx, but maybe it will help the BSDs.

http://www.dillo.org/test/ssl_in_browser.diff

[eocene]

I had planned to wait until after 3.1 to integrate the ssl-in-browser
code, but since 1) dillo hasn't been moving toward release lately and
2) Johannes tells me that the patch has been working well for him, I
now plan to put it into dillo when I get a chance in coming days.

Having it in dillo means that dillo can be a better internet citizen
(http_max_conns, http_persistent_conns), there is certificate hostname
checking borrowed from wget, server name indication (fewer certificate
warnings), we can remember for the session that the user accepted the
use of a questionable certificate instead of continuing to give warnings,
we can check non-root-url certificates without endless warning popups...

[eocene]

I wrote:
> I had planned to wait until after 3.1 to integrate the ssl-in-browser
> code, but since 1) dillo hasn't been moving toward release lately and
> 2) Johannes tells me that the patch has been working well for him, I
> now plan to put it into dillo when I get a chance in coming days.
>
> Having it in dillo means that dillo can be a better internet citizen
> (http_max_conns, http_persistent_conns), there is certificate hostname
> checking borrowed from wget, server name indication (fewer certificate
> warnings), we can remember for the session that the user accepted the
> use of a questionable certificate instead of continuing to give warnings,
> we can check non-root-url certificates without endless warning popups...

(Also the Tor + dpi issue that Johannes mentioned last year)

Committed.

I'm looking forward to seeing how it works for you...