From: Andreas Enge <andreas@enge.fr>
To: Mark H Weaver <mhw@netris.org>
Cc: 16791@debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Tue, 18 Feb 2014 20:23:00 +0100 [thread overview]
Message-ID: <20140218192300.GA9840@debian> (raw)
In-Reply-To: <87ha7wol02.fsf@netris.org>
[-- Attachment #1: Type: text/plain, Size: 981 bytes --]
On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote:
> In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL
> that uses a server certificate that is both self-signed and expired.
> To make matters worse, if I ask for page information (with the '=' key),
> it tells me that the certificate is valid.
>
> On Debian, both w3m and emacs-w3m inform me when an SSL certificate is
> invalid in some way, e.g. if it's expired or not signed by a certificate
> authority in my trust store.
w3m can be configured to not verify ssl certificates; but this is not the
case for us. I checked that if the server presents a certificate for a
different domain, there is a message:
Bad cert ident xxx from yyy: accept? (y/n)
However, the debian w3m asks whether a self-signed certificate should be
accepted. Among the about 30 patches in debian for w3m, the name of only one
is related to ssl; I am attaching it, but it does not seem related to our
problem.
Andreas
[-- Attachment #2: 260_openssl.patch --]
[-- Type: text/plain, Size: 991 bytes --]
Subject: OpenSSL issues
Author: Cristian Rodriguez <crrodriguez@opensuse.org>
Origin: https://build.opensuse.org/request/show/141054
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929
Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org
- Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
that negotiate TLS-level compression can be abused for
MITM attacks. (w3m-openssl.patch)
- Use SSL_MODE_RELEASE_BUFFERS if available .
--- w3m.orig/url.c
+++ w3m/url.c
@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname,
if (strchr(ssl_forbid_method, 'T'))
option |= SSL_OP_NO_TLSv1;
}
+#ifdef SSL_OP_NO_COMPRESSION
+ option |= SSL_OP_NO_COMPRESSION;
+#endif
SSL_CTX_set_options(ssl_ctx, option);
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
#ifdef USE_SSL_VERIFY
/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
#if 1 /* use SSL_get_verify_result() to verify cert */
next prev parent reply other threads:[~2014-02-18 19:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-18 8:58 bug#16791: w3m fails to do any SSL certificate checking Mark H Weaver
2014-02-18 19:23 ` Andreas Enge [this message]
2014-02-18 19:32 ` Andreas Enge
2016-01-03 2:20 ` Leo Famulari
2016-01-04 6:19 ` Leo Famulari
2016-01-04 19:12 ` Leo Famulari
2016-01-04 23:35 ` Ludovic Courtès
2016-01-05 16:32 ` Leo Famulari
2016-01-08 4:55 ` Leo Famulari
2016-02-10 21:16 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140218192300.GA9840@debian \
--to=andreas@enge.fr \
--cc=16791@debbugs.gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.