On Sat, Oct 11, 2003 at 11:42:21AM -0700, Ilya Zakharevich wrote: > I installed openssl 0.9.7c. I installed mod_ssl's PEM file where lynx > can find it. [Howto verify: connection to https://www.ibm.com goes > without any warning.]
In luck this time (I spent yesterday bending configurations to test other stuff), I get this with my Debian/testing configuration for "free". > Now I try to connect to > https://mirbsd.bsdadvocacy.org:8890/active/cvsweb.cgi/src/etc/ > (as mentined in one of [very unhelpful] openssl-setup advices). > > I get a prompt > > SSL error:unable to get local issuer certificate-Continue? (y) same > If I answer no: connection succeeds. End of story. ? (mine cancels as expected) > If I answer yes: I'm presented with the same question again. um, yes - it isn't satisfied yet. But if I continue, the trace indicates that it's making the connection. > a) Why? The trace shows "connection without TSL". Should not the > prompt reflect the difference? Should not the difference be explained > somewhere? > > b) If I answer yes: immediate segfault (in some non-trivial place, > like inside fopen()) in lynx, or openssl? > c) If I answer no: half of the page is loaded, then I get a segfault. :-( > d) And at the beginning of it all, the initial message is not very > helpful either. As my correspondent with Mozilla found, this place > *has* a certificate, but it is not chained to anything "standard", so > is not "trusted". Cannot a different message to be shown? The message comes from openssl, not lynx. There might be a better way to setup the check (to get a different error message for instance), but looking at the code of X509_verify_cert_error_string, I don't see that would happen. The problem is that it's jargon - needs some explanation. -- Thomas E. Dickey <[EMAIL PROTECTED]> http://invisible-island.net ftp://invisible-island.net ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
