Bug#695653: lynx-cur: on any https URL, I get "SSL error:self signed certificate"

Wed, 12 Dec 2012 17:45:20 -0800 

On 2012-12-12 18:34:48 -0500, Thomas Dickey wrote:
> I can reproduce this, and see that the problem is arguably a
> configuration error on your part.  The first interesting difference is
> this line omitted from a trace of the malfunctioning session:
> 
> HTGetSSLHandle: certfile is set to /etc/ssl/certs/ca-certificates.crt by 
> config SSL_CERT_FILE
> 
> What is happening is that gnutls is confused about the reason why the
> certificate could not be traced to an authority - it only knows that
> the attempt failed.  It sets the status which lynx reports here:
> 
>           if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
>               msg2 = gettext("self signed certificate");
> 
> Since there is no configuration information available to lynx,
> there is no way for it to check any of the certificates.

The certificate is *not* self signed. There may be an error, but the
error message should be meaningful for the user and correct. Using a
"self signed certificate" is always an error from the web server,
thus not a config problem. This is not the case here.

http://www.gnu.org/software/gnutls/manual/gnutls.html says:

  GNUTLS_CERT_SIGNER_NOT_FOUND
    The certificate’s issuer is not known. This is the case if the
    issuer is not included in the trusted certificate list.

The error message could be:

  unknown certificate's issuer

or

  untrusted certificate

The second one may be better, because the lynx man page uses the word
"trusted" for SSL_CERT_DIR and SSL_CERT_FILE.

Note: When there is an error about a certificate's issuer with Firefox,
one can get some information that can be useful to know which CA
certificate is missing. Something similar should be done here.

BTW, do you mean that previous lynx versions never checked the
certificate chain? Because though my list of trusted certificates
was empty, I never got such an error from lynx. In such a case, a
security bug should be reported against the previous versions in
Debian...

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to