From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Sat, 2 Jan 2016 21:20:30 -0500
Message-ID: <20160103022030.GA16788@jasmine>
References: <87ha7wol02.fsf@netris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54805)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aFYI8-0004EN-6g
	for bug-guix@gnu.org; Sat, 02 Jan 2016 21:21:09 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aFYI4-0000tj-4u
	for bug-guix@gnu.org; Sat, 02 Jan 2016 21:21:08 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:47520)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1aFYI2-0000tf-H0
	for bug-guix@gnu.org; Sat, 02 Jan 2016 21:21:04 -0500
In-Reply-To: <87ha7wol02.fsf@netris.org>
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.16791.B16791.14517876399485@debbugs.gnu.org>
Content-Disposition: inline
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
To: 16791@debbugs.gnu.org

I looked into how Debian does it. They bundle a configuration file that
sets the correct options.

If you download the "debian" file [0], which includes all of their
packaging for w3m, you can view the file at 'debian/w3mconfig'.

The relevant option is "ssl_verify_server", and it must be set to "1" in
order for w3m to perform verification.

Example with a domain whose certificate is expired:
$ w3m -o ssl_verify_server 1 fmrl.me

Do we ever bundle configuration files in this manner?

Can a wrapper set command-line variables?

I will investigate whether these options can be set at build time.

I don't think we should ship a browser in this state, even if users are
able to configure it properly after installation. w3m is used by other
programs like mutt to render html "under the hood".

[0]
http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz