Hi people, to add to all the traffic on the list... I've implemented full SSL certificate validation taking into account wildcard certificates (only if the wildcard is the first character, I feel it's more secure this way) and multiple CNs in the DN (as employed by e.g. cacert.org).
The code can be seen at the moment at the following address: http://mirbsd.mirsolutions.de/cvs.cgi/src/gnu/usr.bin/lynx/WWW/Library/Implementation/HTTP.c?rev=HEAD Please look at it; once I received a comment from Tom Dickey I will prepare a standard unidiff against 2.8.6dev.17, test that and submit it for inclusion into 2.8.6dev.18 (I hope it can make it). I didn't prepare a patch yet because I want to test it a bit more locally (works for at least two testcases; no regression in "normal" behaviour until now) and because I would like to hear some comments on how I've done things (of course, the #if 0'd stuff will not be seen in the patch I am going to submit). If I get annoyed enough I might also implement some other means of validation for certificates covering multiple vhosts, because my operating system (MirOS BSD) is of course supposed to be as secure as OpenBSD; running SSL/TLS by default (lynx, sendmail) and distri- buting a collection of CA certificates in the standard installation* is part of this agenda. *) http://mirbsd.mirsolutions.de/cvs.cgi/src/etc/ssl.certs.shar?rev=HEAD Please feel free to use them. These are the certificates from MSIE 5 on Win2k, some Netscape, plus CAcert.org; old or invalid certificates removed or (when applicable, e.g. Thawte Root Rollover) updated. I do of course not warrant they're correct, but that's the "standard set" trusted by "the others" too. bye, //mirabilos -- I believe no one can invent an algorithm. One just happens to hit upon it when God enlightens him. Or only God invents algorithms, we merely copy them. If you don't believe in God, just consider God as Nature if you won't deny existence. -- Coywolf Qi Hunt _______________________________________________ Lynx-dev mailing list Lynx-dev@nongnu.org http://lists.nongnu.org/mailman/listinfo/lynx-dev