Bug#752610: lynx: Can connect to CVE-2014-1959 test site

Andreas Metzler ametzler at bebt.de
Sun Jun 29 08:28:50 UTC 2014 

Control: reassign 752610 lynx-cur 2.8.8dev.12-2

On 2014-06-27 Kurt Roeckx <kurt at roeckx.be> wrote:
> On Fri, Jun 27, 2014 at 08:05:41PM +0200, Andreas Metzler wrote:
>> On 2014-06-26 Kurt Roeckx <kurt at roeckx.be> wrote:
>>> On Thu, Jun 26, 2014 at 07:58:04PM +0200, Andreas Metzler wrote:
>> [...]
>>>> indeed an important difference comes up when comparing
>>>> gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile \
>>>> /etc/ssl/certs/ca-certificates.crt
>>>> with libgnutls26_2.12.20-8 and libgnutls26_2.12.20-8+deb7u1. The older
>>>> unfixed version connects successfully and trust the certificate, the
>>>> newer one does not.
 
>>> As said, I can reproduce it with +deb7u2.
>> [...]
 
>> To de-murk waters: You can reproduce it with lynx, not with gnutls-cli.
[...]

Hello,

Well, looking at lynx's source code HTTP.c we find this:

-------------------
ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status);
if (ret < 0 || (ret == 0 &&
                tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
    int flag_continue = 1;
    char *msg2;

    if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
        msg2 = gettext("the certificate has no known issuer");
    } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
        msg2 = gettext("no issuer was found");
    } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_CA) {
        msg2 = gettext("issuer is not a CA");
    } else if (tls_status & GNUTLS_CERT_REVOKED) {
        msg2 = gettext("the certificate has been revoked");
    } else {
        msg2 = gettext("the certificate is not trusted");
    }
    HTSprintf0(&msg, SSL_FORCED_PROMPT, msg2);
    CTRACE((tfp, "HTLoadHTTP: %s\n", msg));
    if (!ssl_noprompt) {
        if (!HTForcedPrompt(ssl_noprompt, msg, YES)) {
            flag_continue = 0;
        }
    } else if (ssl_noprompt == FORCE_PROMPT_NO) {
        flag_continue = 0;
    }
-------------------

Which I read as certificate verification only fails if either
gnutls_certificate_verify_peers2 throws an error (ret<0) or the
verification status is GNUTLS_CERT_SIGNER_NOT_FOUND. The cert throws
GNUTLS_CERT_INVALID.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list