Here's a patch that adds verification of SSL server certificates. It
requires a "cert.pem" file or cert files in the "certs" subdirectory in
your OpenSSL directory for CA verification. The mod_ssl distribution
includes a "ca-bundle.crt" that has a good set of root certifying
authority certs and works well for "cert.pem". Adding custom CA root
certs can be done by either putting them in the server "cert.pem", or
(for a normal user) copying "cert.pem", adding the cert, and setting the
SSL_CERT_FILE environment variable before running Lynx.
Anyway, here is the patch. Please CC me on any responses as I'm not on
the list (I tried to send this a couple of times before but it just
disappeared according to the web archives - then I see I have to be
subscribed to [EMAIL PROTECTED] - maybe this should be on a web
page somewhere as it contradicts the documentation).
--
Chris Adams <[EMAIL PROTECTED]>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
diff -urN lynx2-8-4-dist/WWW/Library/Implementation/HTTP.c
lynx2-8-4/WWW/Library/Implementation/HTTP.c
--- lynx2-8-4-dist/WWW/Library/Implementation/HTTP.c Sat Jul 14 21:06:16 2001
+++ lynx2-8-4/WWW/Library/Implementation/HTTP.c Thu Aug 1 19:51:42 2002
@@ -73,6 +73,7 @@
#ifdef USE_SSL
PUBLIC SSL_CTX * ssl_ctx = NULL; /* SSL ctx */
+PUBLIC int ssl_okay;
PRIVATE void free_ssl_ctx NOARGS
{
@@ -80,6 +81,29 @@
SSL_CTX_free(ssl_ctx);
}
+PRIVATE int HTSSLCallback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+ char msg[256];
+
+ if (preverify_ok || ssl_okay)
+ return 1;
+
+#if NOTDEFINED
+ snprintf(msg, 256, "SSL error:%s-Continue?",
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
+ if (! HTConfirmDefault(msg, TRUE))
+ return 0;
+#else
+ if (! HTConfirmDefault("Error verifying SSL certificate - Continue?",
+ TRUE))
+ return 0;
+#endif /* NOTDEFINED */
+
+ /* Once the user has said okay once, just go on from then on */
+ ssl_okay = 1;
+ return 1;
+}
+
PUBLIC SSL * HTGetSSLHandle NOARGS
{
if (ssl_ctx == NULL) {
@@ -94,9 +118,11 @@
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
SSL_CTX_set_default_verify_paths(ssl_ctx);
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, HTSSLCallback);
#endif /* SSLEAY_VERSION_NUMBER < 0x0800 */
atexit(free_ssl_ctx);
}
+ ssl_okay = 0;
return(SSL_new(ssl_ctx));
}
@@ -386,6 +412,11 @@
char *connect_host = NULL; /* The host being proxied */
SSL * handle = NULL; /* The SSL handle */
char SSLprogress[256]; /* progress bar message */
+ char ssl_dn[256];
+ char *cert_host;
+ char *ssl_host;
+ char *p;
+ char msg[256];
#if SSLEAY_VERSION_NUMBER >= 0x0900
BOOL try_tls = TRUE;
#endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
@@ -554,20 +585,24 @@
goto done;
#endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
}
- sprintf(SSLprogress,"Secure %d-bit %s (%s) HTTP
connection",SSL_get_cipher_bits(handle,NULL),SSL_get_cipher_version(handle),SSL_get_cipher(handle));
- _HTProgress(SSLprogress);
-#ifdef NOTDEFINED
- if (strcmp(HTParse(url, "", PARSE_HOST),
- strstr(X509_NAME_oneline(
- X509_get_subject_name(
- handle->session->peer)),"/CN=")+4)) {
- HTAlert("Certificate is for different host name");
- HTAlert(strstr(X509_NAME_oneline(
- X509_get_subject_name(
- handle->session->peer)),"/CN=")+4);
+ X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(handle)),
+ ssl_dn, 256);
+ cert_host = strstr(ssl_dn, "/CN=") + 4;
+ if ((p = strchr(cert_host, '/')) != NULL)
+ *p = '\0';
+ ssl_host = HTParse(url, "", PARSE_HOST);
+ if (strcmp(ssl_host, cert_host)) {
+ snprintf(msg, 256, "SSL error:host(%s)!=cert(%s)-Continue?", ssl_host,
+ cert_host);
+ if (! HTConfirmDefault(msg, TRUE)) {
+ status = HT_NOT_LOADED;
+ goto done;
+ }
}
-#endif /* NOTDEFINED */
+
+ sprintf(SSLprogress,"Secure %d-bit %s (%s) HTTP
+connection",SSL_get_cipher_bits(handle,NULL),SSL_get_cipher_version(handle),SSL_get_cipher(handle));
+ _HTProgress(SSLprogress);
}
#endif /* USE_SSL */
