[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] can Lynx be used today ? (fwd)

From: Doug Kaufman
Subject: Re: [Lynx-dev] can Lynx be used today ? (fwd)
Date: Sun, 12 Sep 2004 18:30:35 -0700 (PDT)

On Sun, 12 Sep 2004, A. R. Vener wrote:

> I finally upgraded to lynx 2.8.5.
> It seems to work, but when I access https sites, I get the message:
> ssl error unable to get local issuer certificate. continue? (y):
> hitting 'y'  gets past the ssl error and I connect.
> This problem never happened with lynx 2.8.4. Why does it happen with lynx 
> 2.8.5 and 
> what can I do about it?

The essence is that lynx 2.8.4 was never giving you a secure
connection; you were just never told. When you connect over a secure
connection, your browser needs to compare the certificate presented by
the website with a certificate that you trust, to make sure that they
are who they claim to be, rather than an imposter website. In the past
lynx never complained if the check failed. This error usually means
that you never installed a set of trusted certificates. Since the
value of the certificates depends on how you got them, such a set is
not distributed with lynx.

If your security needs are minimal, you can get a copy of the set of
certificates that I use from my web site. Sets of certificates are
also distributed with some software packages. Otherwise you need to
get your own certificates in a secure manner from the certificating
agencies which you trust. The default location for the certificate
bundle varies according to platform and as to how the openssl library
with which lynx was linked was compiled. On unix, typical locations
might be /usr/local/ssl/cert/cert.pem or /usr/share/ssl/cert/cert.pem.
On DJGPP, the default is usually /dev/env/DJDIR/ssl/cert/cert.pem. You
can place it wherever you like, if you set the environment variable
"SSL_CERT_FILE" to the full path of the cert bundle. Once you install
the certificates, the error will go away.

You can get a set of certificates from me at
Doug Kaufman
Internet: address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]