From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Enge Subject: bug#16791: w3m fails to do any SSL certificate checking Date: Tue, 18 Feb 2014 20:23:00 +0100 Message-ID: <20140218192300.GA9840@debian> References: <87ha7wol02.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="r5Pyd7+fXNt84Ff3" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52537) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WFqH8-0006aY-Ie for bug-guix@gnu.org; Tue, 18 Feb 2014 14:24:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WFqGz-0003Qw-OZ for bug-guix@gnu.org; Tue, 18 Feb 2014 14:24:14 -0500 Received: from debbugs.gnu.org ([140.186.70.43]:57724) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WFqGz-0003Qs-K3 for bug-guix@gnu.org; Tue, 18 Feb 2014 14:24:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WFqGy-0003qE-Tz for bug-guix@gnu.org; Tue, 18 Feb 2014 14:24:05 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87ha7wol02.fsf@netris.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Mark H Weaver Cc: 16791@debbugs.gnu.org --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote: > In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL > that uses a server certificate that is both self-signed and expired. > To make matters worse, if I ask for page information (with the '=' key), > it tells me that the certificate is valid. > > On Debian, both w3m and emacs-w3m inform me when an SSL certificate is > invalid in some way, e.g. if it's expired or not signed by a certificate > authority in my trust store. w3m can be configured to not verify ssl certificates; but this is not the case for us. I checked that if the server presents a certificate for a different domain, there is a message: Bad cert ident xxx from yyy: accept? (y/n) However, the debian w3m asks whether a self-signed certificate should be accepted. Among the about 30 patches in debian for w3m, the name of only one is related to ssl; I am attaching it, but it does not seem related to our problem. Andreas --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="260_openssl.patch" Subject: OpenSSL issues Author: Cristian Rodriguez Origin: https://build.opensuse.org/request/show/141054 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929 Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. (w3m-openssl.patch) - Use SSL_MODE_RELEASE_BUFFERS if available . --- w3m.orig/url.c +++ w3m/url.c @@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); + +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ #if 1 /* use SSL_get_verify_result() to verify cert */ --r5Pyd7+fXNt84Ff3--