On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote: > In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL > that uses a server certificate that is both self-signed and expired. > To make matters worse, if I ask for page information (with the '=' key), > it tells me that the certificate is valid. > > On Debian, both w3m and emacs-w3m inform me when an SSL certificate is > invalid in some way, e.g. if it's expired or not signed by a certificate > authority in my trust store.
w3m can be configured to not verify ssl certificates; but this is not the case for us. I checked that if the server presents a certificate for a different domain, there is a message: Bad cert ident xxx from yyy: accept? (y/n) However, the debian w3m asks whether a self-signed certificate should be accepted. Among the about 30 patches in debian for w3m, the name of only one is related to ssl; I am attaching it, but it does not seem related to our problem. Andreas
Subject: OpenSSL issues Author: Cristian Rodriguez <crrodrig...@opensuse.org> Origin: https://build.opensuse.org/request/show/141054 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929 Mon Nov 12 18:26:45 UTC 2012 - crrodrig...@opensuse.org - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. (w3m-openssl.patch) - Use SSL_MODE_RELEASE_BUFFERS if available . --- w3m.orig/url.c +++ w3m/url.c @@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); + +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ #if 1 /* use SSL_get_verify_result() to verify cert */
