[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] Update for HTTPS handling

From: Jamie Strandboge
Subject: [Lynx-dev] Update for HTTPS handling
Date: Wed, 07 Nov 2012 17:50:22 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121028 Thunderbird/16.0.2


I was reviewing CVE-2012-5821[1] and the associated paper[2] and noticed
that a change was made to lynx 2.8.8dev.13 based on feedback from one of
the authors of the paper. The change seems to be the addition of the
following right before the call to gnutls_certificate_verify_peers2():
                                    GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |

gnutls 3 will use GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT by default, but
gnutls 2 seems to not not, so setting this explicitly makes sense.

However, this is not enough to prompt for self-signed certificates. Per
docs/README.sslcerts, lynx is suppose to prompt on self-signed
certificates, but it will happily accept them so long as it otherwise is
valid and the hostname checks don't fail. The problem occurs here:

ret = gnutls_certificate_verify_peers2(handle->gnutls_state, \
if (ret < 0) {

gnutls_certificate_verify_peers2() is returning '0' with a self-signed
certificate, but it does still set GNUTLS_CERT_SIGNER_NOT_FOUND.
Attached is a patch that prompts on a self-signed certificate and
removes the redundant 2nd check for GNUTLS_CERT_SIGNER_NOT_FOUND. This
patch is against 2.8.8dev.12 (so it includes the additional call to
gnutls_certificate_set_verify_flags()) and is lightly tested. I'd
appreciate any feedback you might have.



Jamie Strandboge       

Attachment: CVE-2012-5821.patch
Description: Text Data

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]