all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Andreas Enge <andreas@enge.fr>
To: Mark H Weaver <mhw@netris.org>
Cc: 16791@debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Tue, 18 Feb 2014 20:23:00 +0100	[thread overview]
Message-ID: <20140218192300.GA9840@debian> (raw)
In-Reply-To: <87ha7wol02.fsf@netris.org>

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote:
> In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL
> that uses a server certificate that is both self-signed and expired.
> To make matters worse, if I ask for page information (with the '=' key),
> it tells me that the certificate is valid.
> 
> On Debian, both w3m and emacs-w3m inform me when an SSL certificate is
> invalid in some way, e.g. if it's expired or not signed by a certificate
> authority in my trust store.

w3m can be configured to not verify ssl certificates; but this is not the
case for us. I checked that if the server presents a certificate for a
different domain, there is a message:
   Bad cert ident xxx from yyy: accept? (y/n)

However, the debian w3m asks whether a self-signed certificate should be
accepted. Among the about 30 patches in debian for w3m, the name of only one
is related to ssl; I am attaching it, but it does not seem related to our
problem.

Andreas


[-- Attachment #2: 260_openssl.patch --]
[-- Type: text/plain, Size: 991 bytes --]

Subject: OpenSSL issues
Author: Cristian Rodriguez <crrodriguez@opensuse.org>
Origin: https://build.opensuse.org/request/show/141054
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929

  Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org
  - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
    that negotiate TLS-level compression can be abused for
    MITM attacks. (w3m-openssl.patch) 
  - Use SSL_MODE_RELEASE_BUFFERS if available .

--- w3m.orig/url.c
+++ w3m/url.c
@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname,
 	    if (strchr(ssl_forbid_method, 'T'))
 		option |= SSL_OP_NO_TLSv1;
 	}
+#ifdef SSL_OP_NO_COMPRESSION
+	option |= SSL_OP_NO_COMPRESSION;
+#endif
 	SSL_CTX_set_options(ssl_ctx, option);
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+	SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
 #ifdef USE_SSL_VERIFY
 	/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
 #if 1				/* use SSL_get_verify_result() to verify cert */

  reply	other threads:[~2014-02-18 19:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-18  8:58 bug#16791: w3m fails to do any SSL certificate checking Mark H Weaver
2014-02-18 19:23 ` Andreas Enge [this message]
2014-02-18 19:32   ` Andreas Enge
2016-01-03  2:20 ` Leo Famulari
2016-01-04  6:19   ` Leo Famulari
2016-01-04 19:12     ` Leo Famulari
2016-01-04 23:35     ` Ludovic Courtès
2016-01-05 16:32       ` Leo Famulari
2016-01-08  4:55         ` Leo Famulari
2016-02-10 21:16           ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140218192300.GA9840@debian \
    --to=andreas@enge.fr \
    --cc=16791@debbugs.gnu.org \
    --cc=mhw@netris.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.