Hello, lynx 2.8.9dev3 (GnuTLS) invokes gnutls_certificate_verify_peers2() but does not use/check all error flags. e.g. certificate expiration is not checked. <https://bugs.debian.org/745835>. Find attached a patch against 2.8.9dev3 to change the respective code to simply check for /any/ error and use gnutls_certificate_verification_status_print() to print what exactly failed. This follows the example in upstream's documentation <http://www.gnutls.org/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support>.
The respective function was added in GnuTLS 3.1.4 (released in November 2012). Please doublecheck, I am not a programmer by profession. thanks, cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Description: Make use of gnutls_certificate_verification_status_print instead of only checking a selection of verification errors. Author: Andreas Metzler <[email protected]> Origin: vendor Bug: <url in upstream bugtracker> Bug-Debian: https://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- a/WWW/Library/Implementation/HTTP.c +++ b/WWW/Library/Implementation/HTTP.c @@ -782,23 +782,22 @@ static int HTLoadHTTP(const char *arg, GNUTLS_VERIFY_DO_NOT_ALLOW_SAME | GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status); - if (ret < 0 || (ret == 0 && - tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) { - int flag_continue = 1; - char *msg2; + if (ret < 0 || tls_status != 0) { + int flag_continue = 1, type; + gnutls_datum_t out; - if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) { - msg2 = gettext("the certificate has no known issuer"); - } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) { - msg2 = gettext("no issuer was found"); - } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_CA) { - msg2 = gettext("issuer is not a CA"); - } else if (tls_status & GNUTLS_CERT_REVOKED) { - msg2 = gettext("the certificate has been revoked"); - } else { - msg2 = gettext("the certificate is not trusted"); + if (ret < 0) { + HTSprintf0(&msg, SSL_FORCED_PROMPT, gettext( + "GnuTLS error when trying to verify certificate.")); + } + else + { + type = gnutls_certificate_type_get(handle->gnutls_state); + ret = gnutls_certificate_verification_status_print (tls_status, + type, &out, 0); + HTSprintf0(&msg, SSL_FORCED_PROMPT, out.data); + gnutls_free(out.data); } - HTSprintf0(&msg, SSL_FORCED_PROMPT, msg2); CTRACE((tfp, "HTLoadHTTP: %s\n", msg)); if (!ssl_noprompt) { if (!HTForcedPrompt(ssl_noprompt, msg, YES)) {
_______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
