bug#16791: w3m fails to do any SSL certificate checking

[Leo Famulari <leo@famulari.name>]

On Tue, Jan 05, 2016 at 11:32:14AM -0500, Leo Famulari wrote:
> On Tue, Jan 05, 2016 at 12:35:57AM +0100, Ludovic Courtès wrote:
> > Leo Famulari <leo@famulari.name> skribis:
> > 
> > > On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote:
> > >> I looked into how Debian does it. They bundle a configuration file that
> > >> sets the correct options.
> > >> 
> > >> If you download the "debian" file [0], which includes all of their
> > >> packaging for w3m, you can view the file at 'debian/w3mconfig'.
> > >> 
> > >> The relevant option is "ssl_verify_server", and it must be set to "1" in
> > >> order for w3m to perform verification.
> > >> 
> > >> Example with a domain whose certificate is expired:
> > >> $ w3m -o ssl_verify_server 1 fmrl.me
> > >> 
> > >> Do we ever bundle configuration files in this manner?
> > >> 
> > >> Can a wrapper set command-line variables?
> > >> 
> > >> I will investigate whether these options can be set at build time.
> > >> 
> > >> I don't think we should ship a browser in this state, even if users are
> > >> able to configure it properly after installation. w3m is used by other
> > >> programs like mutt to render html "under the hood".
> > >> 
> > >> [0]
> > >> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz
> > >> 
> > >
> > > This particular issue was resolved in October 2014 in this commit
> > > (tested):
> > > http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654
> > 
> > Looks like applying this patch would fix the bug right away, right?
> > 
> > > It looks like there is a lot of development activity happening within
> > > Debian, beyond simple packaging [0]. Even what seems to be the official
> > > SourceForge page seems to be tracking the Debian work [1].
> > >
> > > The Debian developers are regularly issuing release tags but not release
> > > tarballs. I built from the latest one and it seems to work.
> > >
> > > I think we should use the Debian repo as the source for our w3m package.
> > > What does everyone else think?
> > 
> > Unless upstream is really dead, we should track it.  I think it’s not
> > the distro’s job to do non-trivial development.
> 
> I'm trying to reach the people that used to work on w3m to ask if they
> are still active or if they have abandoned it. They haven't been around
> in ~4 years from what I have seen.
> 
> > 
> > What about using the latest upstream tarball, along with the patch
> > above and probably the one that disables SSLv{2,3}?
> 
> I'll try that.

Mark, can you check if commit 62339e2d49 fixes this bug for you?

> 
> > 
> > Thanks,
> > Ludo’.
> 
> 
>