2 years ago I implented a solution for this problem on Linux (actually platforms using OpenSSL), which integrated well with the way SqueakSSL worked (and still works)[1]. There was a plan for a better fix, but as it turned out, that was a mistake not to push the changes, because the new plan would require way too large effort to be done. IMHO, disabling verification is clearly not the solution.
Levente
[1] http://forum.world.st/SqueakSSL-SAN-certificates-td4828767.html
On Thu, 27 Apr 2017, commits@source.squeak.org wrote:
A new version of WebClient-Core was added to project The Inbox: http://source.squeak.org/inbox/WebClient-Core-fn.105.mcz
==================== Summary ====================
Name: WebClient-Core-fn.105 Author: fn Time: 27 April 2017, 6:32:47.94973 pm UUID: 9d163339-62e5-4248-b3c4-773616160ea0 Ancestors: WebClient-Core-jr.104
Disable certificate validation on all platforms for the time being. It turns out, this does not only probably work on macOS, but also on Windows and Linux. The WebClient seems to have problems with some certificates used for popular domains, e.g. google.com and github.com. The Zinc library does not perform the validation as well at the moment.
=============== Diff against WebClient-Core-jr.104 ===============
Item was changed: ----- Method: WebClient>>sslConnect (in category 'initialize') ----- sslConnect "Do the SSL handshake" "Connect the client to a web server"
| sqSSL | proxyServer ifNotNil:[ | resp | "If we have a proxy server, do the proxy connect" resp := self proxyConnect. resp isSuccess ifFalse:[^resp]. ].
sqSSL := Smalltalk at: #SqueakSSL ifAbsent:[self error: 'SqueakSSL is missing']. "Convert the stream to a secure stream" stream := sqSSL secureSocketStream on: stream socket. stream timeout: timeout. self sslConnect: stream to: lastServer.
- "Normally, we would verify the cert now, but this does not work properly"
- "stream verifyCert: self serverName."
- "And cert verification
- (unless on OSX, where this does not work yet)"
- WebUtils platformName = 'Mac OS'
^ nil"indicating success"ifFalse: [stream verifyCert: self serverName].
!