From 25a2824203ad199d69432940d2f1edda5b226e9e Mon Sep 17 00:00:00 2001
From: Philip Withnall <philip@tecnocode.co.uk>
Date: Thu, 8 Mar 2012 00:09:08 +0000
Subject: [PATCH] core: Validate SSL certificates for all connections

This prevents MitM attacks which use spoofed SSL certificates.

Closes: https://bugzilla.gnome.org/show_bug.cgi?id=671535

[Alexandre Rostovtsev <tetromino@gentoo.org>: backport to 0.8.1]

Conflicts:

	gdata/gdata-service.c
---
 configure.ac          |    7 +++++++
 gdata/gdata-service.c |    2 +-
 2 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/configure.ac b/configure.ac
index 449383d..ad23761 100644
--- a/configure.ac
+++ b/configure.ac
@@ -92,6 +92,13 @@ AC_CHECK_FUNCS([strtol])
 AC_CHECK_FUNCS([strtoul])
 AC_CHECK_HEADERS([sys/time.h])
 
+# System SSL CA certificates
+AC_ARG_WITH(ca-certs,
+            AS_HELP_STRING([--with-ca-certs=PATH],[location of SSL CA certificates (default: /etc/ssl/certs/ca-certificates.crt)]),
+            ca_certs="$withval",
+            ca_certs="/etc/ssl/certs/ca-certificates.crt")
+AC_DEFINE_UNQUOTED(CA_CERTS, "$ca_certs", [Where to look for SSL CA certificates])
+
 # Internationalisation support
 GETTEXT_PACKAGE=gdata
 AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE, ["$GETTEXT_PACKAGE"], [Define to the Gettext package name])
diff --git a/gdata/gdata-service.c b/gdata/gdata-service.c
index 420eec2..8d8d21c 100644
--- a/gdata/gdata-service.c
+++ b/gdata/gdata-service.c
@@ -273,7 +273,7 @@ static void
 gdata_service_init (GDataService *self)
 {
 	self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self, GDATA_TYPE_SERVICE, GDataServicePrivate);
-	self->priv->session = soup_session_sync_new ();
+	self->priv->session = soup_session_sync_new_with_options (SOUP_SESSION_SSL_CA_FILE, CA_CERTS, NULL);
 
 #ifdef HAVE_GNOME
 	soup_session_add_feature_by_type (self->priv->session, SOUP_TYPE_GNOME_FEATURES_2_26);
-- 
1.7.8.5