Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#695653: lynx-cur: on any https URL, I get "SSL error:self signed certificate"
4 views
Skip to first unread message
Thomas Dickey
Dec 11, 2012, 4:40:03 AM12/11/12
to
On Tue, Dec 11, 2012 at 09:55:38AM +0100, Vincent Lefevre wrote:
> Package: lynx-cur
> Version: 2.8.8dev.15-1
> Severity: grave
> Justification: renders package unusable
>
> On any https URL[*], I get te following error:
>
> SSL error:self signed certificate-Continue? (y)
>
> As accepting is regarded as a security problem (for most sites),
> one can consider that lynx no longer works with https URL's (or
> can tend to make users do insecure things), which is a major
> problem nowadays.
>
> [*] I've tried with:
> * https://gforge.inria.fr/
> * https://www.gandi.net/
> * https://www.vinc17.net/
> * https://ent.ens-lyon.fr/
fwiw, lynx built according to the Debian options (with gnutls) works
fine on my Debian 6 machine (will investigate this evening to see
what's different in the current package or environment).
--
Thomas E. Dickey <dic...@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
> Package: lynx-cur
> Version: 2.8.8dev.15-1
> Severity: grave
> Justification: renders package unusable
>
> On any https URL[*], I get te following error:
>
> SSL error:self signed certificate-Continue? (y)
>
> As accepting is regarded as a security problem (for most sites),
> one can consider that lynx no longer works with https URL's (or
> can tend to make users do insecure things), which is a major
> problem nowadays.
>
> [*] I've tried with:
> * https://gforge.inria.fr/
> * https://www.gandi.net/
> * https://www.vinc17.net/
> * https://ent.ens-lyon.fr/
fwiw, lynx built according to the Debian options (with gnutls) works
fine on my Debian 6 machine (will investigate this evening to see
what's different in the current package or environment).
--
Thomas E. Dickey <dic...@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
Thomas Dickey
Dec 12, 2012, 5:20:02 AM12/12/12
to
On Tue, Dec 11, 2012 at 04:37:02AM -0500, Thomas Dickey wrote:
> On Tue, Dec 11, 2012 at 09:55:38AM +0100, Vincent Lefevre wrote:
> > Package: lynx-cur
> > Version: 2.8.8dev.15-1
> > Severity: grave
> > Justification: renders package unusable
> >
> > On any https URL[*], I get te following error:
> >
> > SSL error:self signed certificate-Continue? (y)
> >
> > As accepting is regarded as a security problem (for most sites),
> > one can consider that lynx no longer works with https URL's (or
> > can tend to make users do insecure things), which is a major
> > problem nowadays.
> >
> > [*] I've tried with:
> > * https://gforge.inria.fr/
> > * https://www.gandi.net/
> > * https://www.vinc17.net/
> > * https://ent.ens-lyon.fr/
>
> fwiw, lynx built according to the Debian options (with gnutls) works
> fine on my Debian 6 machine (will investigate this evening to see
> what's different in the current package or environment).
I'm not able to reproduce the problem, either by recompiling, or by installing
> On Tue, Dec 11, 2012 at 09:55:38AM +0100, Vincent Lefevre wrote:
> > Package: lynx-cur
> > Version: 2.8.8dev.15-1
> > Severity: grave
> > Justification: renders package unusable
> >
> > On any https URL[*], I get te following error:
> >
> > SSL error:self signed certificate-Continue? (y)
> >
> > As accepting is regarded as a security problem (for most sites),
> > one can consider that lynx no longer works with https URL's (or
> > can tend to make users do insecure things), which is a major
> > problem nowadays.
> >
> > [*] I've tried with:
> > * https://gforge.inria.fr/
> > * https://www.gandi.net/
> > * https://www.vinc17.net/
> > * https://ent.ens-lyon.fr/
>
> fwiw, lynx built according to the Debian options (with gnutls) works
> fine on my Debian 6 machine (will investigate this evening to see
> what's different in the current package or environment).
this version on my Debian/testing system. For each configuration, lynx
accepts the certificate and does not prompt.
Vincent Lefevre
Dec 12, 2012, 6:10:01 AM12/12/12
to
On 2012-12-12 05:08:21 -0500, Thomas Dickey wrote:
> I'm not able to reproduce the problem, either by recompiling, or by
> installing this version on my Debian/testing system. For each
> configuration, lynx accepts the certificate and does not prompt.
The problem occurs when $LYNX_CFG is set, including to an empty
> I'm not able to reproduce the problem, either by recompiling, or by
> installing this version on my Debian/testing system. For each
> configuration, lynx accepts the certificate and does not prompt.
config file.
I can reproduce the problem on my two Debian/unstable machines, but
not on a Debian 6.0.6 machine, where my user config is the same.
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--
To UNSUBSCRIBE, email to debian-bugs...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Vincent Lefevre
Dec 12, 2012, 6:50:02 AM12/12/12
to
On 2012-12-12 06:28:56 -0500, Thomas Dickey wrote:
LYNX_CFG contains a filename. Do not set it to '', but to /dev/null
for instance.
> On Wed, Dec 12, 2012 at 05:08:21AM -0500, Thomas Dickey wrote:
> > I'm not able to reproduce the problem, either by recompiling, or
> > by installing this version on my Debian/testing system. For each
> > configuration, lynx accepts the certificate and does not prompt.
>
> I tested first with LYNX_CFG unset, and then with it set to ''.
> > I'm not able to reproduce the problem, either by recompiling, or
> > by installing this version on my Debian/testing system. For each
> > configuration, lynx accepts the certificate and does not prompt.
>
LYNX_CFG contains a filename. Do not set it to '', but to /dev/null
for instance.
Vincent Lefevre
Dec 12, 2012, 7:00:01 AM12/12/12
to
On 2012-12-12 12:03:39 +0100, Vincent Lefevre wrote:
> The problem occurs when $LYNX_CFG is set, including to an empty
> config file.
>
> I can reproduce the problem on my two Debian/unstable machines, but
> not on a Debian 6.0.6 machine, where my user config is the same.
Here's what I get with "-trace-mask=255 -trace":
> The problem occurs when $LYNX_CFG is set, including to an empty
> config file.
>
> I can reproduce the problem on my two Debian/unstable machines, but
> not on a Debian 6.0.6 machine, where my user config is the same.
[...]
Making HTTPS connection to gforge.inria.fr
TCP: Error 115 in `SOCKET_ERRNO' after call to this socket's first connect() failed.
Operation now in progress
TCP: Error 115 in `SOCKET_ERRNO' after call to this socket's first select() failed.
Operation now in progress
->:+VERS-TLS1.0:+VERS-SSL3.0
->:+AES-128-CBC:+3DES-CBC:+AES-256-CBC:+ARCFOUR-128
->:+COMP-DEFLATE:+COMP-NULL
->:+DHE-RSA:+RSA:+DHE-DSS
->:+SHA1:+MD5
set priorities NONE:+VERS-TLS1.0:+VERS-SSL3.0:+AES-128-CBC:+3DES-CBC:+AES-256-CBC:+ARCFOUR-128:+COMP-DEFLATE:+COMP-NULL:+DHE-RSA:+RSA:+DHE-DSS:+SHA1:+MD5
CHECK 0:
HTParse: aName:`https://gforge.inria.fr/'
relatedName:`'
want: host
HTParse: result:`gforge.inria.fr'
...called gnutls_server_name_set(gforge.inria.fr) ->0
HTLoadHTTP: SSL error:self signed certificate-Continue?
[...]
On the Debian 6.0.6 machine:
[...]
Making HTTPS connection to gforge.inria.fr
TCP: Error 115 in `SOCKET_ERRNO' after call to this socket's first connect() failed.
Operation now in progress
TCP: Error 115 in `SOCKET_ERRNO' after call to this socket's first select() failed.
Operation now in progress
HTParse: aName:`https://gforge.inria.fr/'
relatedName:`'
want: host
HTParse: result:`gforge.inria.fr'
Validating CNs in '/C=FR/O=INST NAT RECHERCHE INFORMATIQUE AUTOMA/CN=gforge.inria.fr'
Matching
ssl_host 'gforge.inria.fr'
cert_host 'gforge.inria.fr'
CSS.CS:<status> style 505 code 0x1f9, color 0x200800
CACHED: <status> @(59,0)
CSS:LYAttrset color 0x200800 -> (yellow/blue)
[59, 0] LYwaddnstr(Verified connection to gforge.inria.fr (cert=gforge.inria.fr), 61)
CSS.CS:</status> style 505 code 0x1f9, color 0x200800
CSS:LYAttrset color 0x1500 -> (lightgray/black)
Verified connection to gforge.inria.fr (cert=gforge.inria.fr)
CSS.CS:<status> style 505 code 0x1f9, color 0x200800
CACHED: <status> @(59,0)
CSS:LYAttrset color 0x200800 -> (yellow/blue)
[59, 0] LYwaddnstr(Certificate issued by: /C=NL/O=TERENA/CN=TERENA SSL CA, 54)
CSS.CS:</status> style 505 code 0x1f9, color 0x200800
CSS:LYAttrset color 0x1500 -> (lightgray/black)
Certificate issued by: /C=NL/O=TERENA/CN=TERENA SSL CA
[...]
Vincent Lefevre
Dec 12, 2012, 7:10:01 AM12/12/12
to
On 2012-12-12 12:03:39 +0100, Vincent Lefevre wrote:
> The problem occurs when $LYNX_CFG is set, including to an empty
> config file.
>
> I can reproduce the problem on my two Debian/unstable machines, but
> not on a Debian 6.0.6 machine, where my user config is the same.
I've reverted to lynx-cur 2.8.8dev.14-1 on Debian/unstable, and
> config file.
>
> I can reproduce the problem on my two Debian/unstable machines, but
> not on a Debian 6.0.6 machine, where my user config is the same.
the problem doesn't occur. After reinstalling 2.8.8dev.15-1, the
problem occurs again. The changelog is:
lynx-cur (2.8.8dev.15-1) unstable; urgency=low
* New Upstream Release.
- Fixed a security bug, CVE-2012-5821: improve checking of certificates
in the gnutls_certificate_verify_peers2() by handling special case where
self-signed certificates should be reported (patch by Jamie Strandboge).
(Closes: #692443)
- revise nsl-fork logic for passing addrinfo and hostent data back
to eliminate fixed limit on the number of records to return
(Closes: #691904)
- corrected position of highlighting from search/whereis function when using
multibyte characters. (Closes: #673385)
* Updated patches files in debian/patches.
-- Atsuhito KOHDA <ko...@debian.org> Wed, 21 Nov 2012 21:54:10 +0900
I suppose that the fix of CVE-2012-5821 is wrong.
Thomas Dickey
Dec 12, 2012, 6:40:02 PM12/12/12
to
On Wed, Dec 12, 2012 at 12:44:23PM +0100, Vincent Lefevre wrote:
> On 2012-12-12 06:28:56 -0500, Thomas Dickey wrote:
> > On Wed, Dec 12, 2012 at 05:08:21AM -0500, Thomas Dickey wrote:
> > > I'm not able to reproduce the problem, either by recompiling, or
> > > by installing this version on my Debian/testing system. For each
> > > configuration, lynx accepts the certificate and does not prompt.
> >
> > I tested first with LYNX_CFG unset, and then with it set to ''.
>
> LYNX_CFG contains a filename. Do not set it to '', but to /dev/null
> for instance.
I can reproduce this, and see that the problem is arguably a
> On 2012-12-12 06:28:56 -0500, Thomas Dickey wrote:
> > On Wed, Dec 12, 2012 at 05:08:21AM -0500, Thomas Dickey wrote:
> > > I'm not able to reproduce the problem, either by recompiling, or
> > > by installing this version on my Debian/testing system. For each
> > > configuration, lynx accepts the certificate and does not prompt.
> >
> > I tested first with LYNX_CFG unset, and then with it set to ''.
>
> LYNX_CFG contains a filename. Do not set it to '', but to /dev/null
> for instance.
configuration error on your part. The first interesting difference is
this line omitted from a trace of the malfunctioning session:
HTGetSSLHandle: certfile is set to /etc/ssl/certs/ca-certificates.crt by config SSL_CERT_FILE
What is happening is that gnutls is confused about the reason why the
certificate could not be traced to an authority - it only knows that
the attempt failed. It sets the status which lynx reports here:
if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
msg2 = gettext("self signed certificate");
Since there is no configuration information available to lynx,
there is no way for it to check any of the certificates.
Vincent Lefevre
Dec 12, 2012, 8:50:03 PM12/12/12
to
On 2012-12-12 18:34:48 -0500, Thomas Dickey wrote:
> I can reproduce this, and see that the problem is arguably a
> configuration error on your part. The first interesting difference is
> this line omitted from a trace of the malfunctioning session:
>
> HTGetSSLHandle: certfile is set to /etc/ssl/certs/ca-certificates.crt by config SSL_CERT_FILE
>
> What is happening is that gnutls is confused about the reason why the
> certificate could not be traced to an authority - it only knows that
> the attempt failed. It sets the status which lynx reports here:
>
> if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
> msg2 = gettext("self signed certificate");
>
> Since there is no configuration information available to lynx,
> there is no way for it to check any of the certificates.
The certificate is *not* self signed. There may be an error, but the
> I can reproduce this, and see that the problem is arguably a
> configuration error on your part. The first interesting difference is
> this line omitted from a trace of the malfunctioning session:
>
> HTGetSSLHandle: certfile is set to /etc/ssl/certs/ca-certificates.crt by config SSL_CERT_FILE
>
> What is happening is that gnutls is confused about the reason why the
> certificate could not be traced to an authority - it only knows that
> the attempt failed. It sets the status which lynx reports here:
>
> if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
> msg2 = gettext("self signed certificate");
>
> Since there is no configuration information available to lynx,
> there is no way for it to check any of the certificates.
error message should be meaningful for the user and correct. Using a
"self signed certificate" is always an error from the web server,
thus not a config problem. This is not the case here.
http://www.gnu.org/software/gnutls/manual/gnutls.html says:
GNUTLS_CERT_SIGNER_NOT_FOUND
The certificate’s issuer is not known. This is the case if the
issuer is not included in the trusted certificate list.
The error message could be:
unknown certificate's issuer
or
untrusted certificate
The second one may be better, because the lynx man page uses the word
"trusted" for SSL_CERT_DIR and SSL_CERT_FILE.
Note: When there is an error about a certificate's issuer with Firefox,
one can get some information that can be useful to know which CA
certificate is missing. Something similar should be done here.
BTW, do you mean that previous lynx versions never checked the
certificate chain? Because though my list of trusted certificates
was empty, I never got such an error from lynx. In such a case, a
security bug should be reported against the previous versions in
Debian...
Vincent Lefevre
Dec 12, 2012, 9:00:01 PM12/12/12
to
Hi,
On 2012-12-13 10:12:51 +0900, Atsuhito Kohda wrote:
> I can't reproduce the problem with neither testing
> (2.8.8dev.12-2) nor unstable (2.8.8dev.15-1).
Try:
SSL_CERT_FILE=/dev/null lynx https://gforge.inria.fr/
On 2012-12-13 10:12:51 +0900, Atsuhito Kohda wrote:
> I can't reproduce the problem with neither testing
> (2.8.8dev.12-2) nor unstable (2.8.8dev.15-1).
Try:
SSL_CERT_FILE=/dev/null lynx https://gforge.inria.fr/
Thomas Dickey
Dec 12, 2012, 9:00:02 PM12/12/12
to
On Thu, Dec 13, 2012 at 10:12:51AM +0900, Atsuhito Kohda wrote:
> Hi all,
file is compiled-in, there's still some ambiguity in the return-codes from
gnutls which could be viewed as the same issue.
> Hi all,
>
> I can't reproduce the problem with neither testing
> (2.8.8dev.12-2) nor unstable (2.8.8dev.15-1).
I can - but even if we modified lynx so that the default path for the cert
> I can't reproduce the problem with neither testing
> (2.8.8dev.12-2) nor unstable (2.8.8dev.15-1).
file is compiled-in, there's still some ambiguity in the return-codes from
gnutls which could be viewed as the same issue.
Atsuhito Kohda
Dec 12, 2012, 10:40:01 PM12/12/12
to
Hi Vincent,
Please stop to mail only to 695653...@bugs.debian.org
but mail to 695...@bugs.debian.org
I seldom visit web site "http://www.debian.org/Bugs/".
I've failed to get your most reports. Thanks.
Best regards, 2012-12-13(Thu)
--
Debian Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT debian.org>
Department of Math., Univ. of Tokushima
Please stop to mail only to 695653...@bugs.debian.org
but mail to 695...@bugs.debian.org
I seldom visit web site "http://www.debian.org/Bugs/".
I've failed to get your most reports. Thanks.
Best regards, 2012-12-13(Thu)
--
Debian Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT debian.org>
Department of Math., Univ. of Tokushima
Atsuhito Kohda
Dec 12, 2012, 10:50:01 PM12/12/12
to
Hi Vincent,
On Thu, 13 Dec 2012 02:48:39 +0100, Vincent Lefevre wrote:
> Try:
>
> SSL_CERT_FILE=/dev/null lynx https://gforge.inria.fr/
But this is apparently wrong usage. What is your main point?
Best regards, 2012-12-13(Thu)
--
Debian Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT debian.org>
Department of Math., Univ. of Tokushima
On Thu, 13 Dec 2012 02:48:39 +0100, Vincent Lefevre wrote:
> Try:
>
> SSL_CERT_FILE=/dev/null lynx https://gforge.inria.fr/
Best regards, 2012-12-13(Thu)
--
Debian Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT debian.org>
Department of Math., Univ. of Tokushima
Vincent Lefevre
Dec 13, 2012, 4:30:03 AM12/13/12
to
On 2012-12-13 12:15:55 +0900, Atsuhito Kohda wrote:
> > SSL_CERT_FILE=/dev/null lynx https://gforge.inria.fr/
>
> But this is apparently wrong usage. What is your main point?
No, this is not forbidden, just like not using the global config file
> > SSL_CERT_FILE=/dev/null lynx https://gforge.inria.fr/
>
> But this is apparently wrong usage. What is your main point?
(which happened by mistake after the location of the global config file
has changed from /etc/lynx.cfg to /etc/lynx-cur/lynx.cfg in the past).
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Adam D. Barratt
Dec 13, 2012, 4:30:02 PM12/13/12
to
On Thu, 2012-12-13 at 12:29 +0900, Atsuhito Kohda wrote:
> Please stop to mail only to 695653...@bugs.debian.org
> but mail to 695...@bugs.debian.org
The BTS automatically sets the Reply-To: for a mail to NNNN-submitter to
> Please stop to mail only to 695653...@bugs.debian.org
> but mail to 695...@bugs.debian.org
use NNNN-quiet.
Regards,
Adam
Debian Bug Tracking System
Dec 2, 2013, 11:40:03 PM12/2/13
to
Your message dated Tue, 03 Dec 2013 04:33:54 +0000
with message-id <E1VnhgI-...@franck.debian.org>
and subject line Bug#695653: fixed in lynx-cur 2.8.8pre1-1
has caused the Debian Bug report #695653,
regarding lynx-cur: on any https URL, I get "SSL error:self signed certificate"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
695653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
with message-id <E1VnhgI-...@franck.debian.org>
and subject line Bug#695653: fixed in lynx-cur 2.8.8pre1-1
has caused the Debian Bug report #695653,
regarding lynx-cur: on any https URL, I get "SSL error:self signed certificate"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
695653: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
0 new messages