Control: reassign 752610 lynx-cur 2.8.8dev.12-2 On 2014-06-27 Kurt Roeckx <k...@roeckx.be> wrote: > On Fri, Jun 27, 2014 at 08:05:41PM +0200, Andreas Metzler wrote: >> On 2014-06-26 Kurt Roeckx <k...@roeckx.be> wrote: >>> On Thu, Jun 26, 2014 at 07:58:04PM +0200, Andreas Metzler wrote: >> [...] >>>> indeed an important difference comes up when comparing >>>> gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile \ >>>> /etc/ssl/certs/ca-certificates.crt >>>> with libgnutls26_2.12.20-8 and libgnutls26_2.12.20-8+deb7u1. The older >>>> unfixed version connects successfully and trust the certificate, the >>>> newer one does not. >>> As said, I can reproduce it with +deb7u2. >> [...] >> To de-murk waters: You can reproduce it with lynx, not with gnutls-cli. [...]
Hello, Well, looking at lynx's source code HTTP.c we find this: ------------------- ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status); if (ret < 0 || (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) { int flag_continue = 1; char *msg2; if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) { msg2 = gettext("the certificate has no known issuer"); } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) { msg2 = gettext("no issuer was found"); } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_CA) { msg2 = gettext("issuer is not a CA"); } else if (tls_status & GNUTLS_CERT_REVOKED) { msg2 = gettext("the certificate has been revoked"); } else { msg2 = gettext("the certificate is not trusted"); } HTSprintf0(&msg, SSL_FORCED_PROMPT, msg2); CTRACE((tfp, "HTLoadHTTP: %s\n", msg)); if (!ssl_noprompt) { if (!HTForcedPrompt(ssl_noprompt, msg, YES)) { flag_continue = 0; } } else if (ssl_noprompt == FORCE_PROMPT_NO) { flag_continue = 0; } ------------------- Which I read as certificate verification only fails if either gnutls_certificate_verify_peers2 throws an error (ret<0) or the verification status is GNUTLS_CERT_SIGNER_NOT_FOUND. The cert throws GNUTLS_CERT_INVALID. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org