[Lynx-dev] bug in SSL certificate validation

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] bug in SSL certificate validation

From:	Thorsten Glaser
Subject:	[Lynx-dev] bug in SSL certificate validation
Date:	Fri, 6 Aug 2021 17:14:32 +0000 (UTC)

Hi,

this affects both OpenSSL and Debian’s nonGNUtls builds:

lynx https://user:pass@host/

… will lead to…

SSL 
error:host(user:pass@host)!=cert(CN<mainhost>:SAN<DNS=host>:SAN<DNS=otherhost>

… for OpenSSL lynx and…

SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n)

… for nonGNUtls lynx.

Obviously, user:pass@ need to be stripped before comparing. The
nonGNUtls version could also be changed to display the subjectAltName''s
the certificate has like the OpenSSL one does (after my patch from ages
ago; no, I’m not going to code for nonGNUtls).

bye,
//mirabilos
-- 
Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit
gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so
reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
        (as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] bug in SSL certificate validation, Thorsten Glaser <=
- Re: [Lynx-dev] bug in SSL certificate validation, Axel Beckert, 2021/08/06
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/06
  - Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser, 2021/08/06
    - [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), Thorsten Glaser, 2021/08/06
    - Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), David Woolley, 2021/08/07
    - Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), Thorsten Glaser, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07

Next by Date: Re: [Lynx-dev] bug in SSL certificate validation
Next by thread: Re: [Lynx-dev] bug in SSL certificate validation
Index(es):
- Date
- Thread