[pkg-lynx-maint] Bug#795958: lynx-cur: certificate revocation checking is buggy
Vincent Lefevre
vincent at vinc17.net
Tue Aug 18 11:32:19 UTC 2015
Package: lynx-cur
Version: 2.8.9dev6-3
Severity: serious
Tags: security
If I run
lynx https://www.vinc17.net:4434/
I get
SSL error:The certificate is NOT trusted. The certificate chain is revoked.
-Continue? (n)
as expected. But If I set up a test server with the same certificate
with:
openssl s_server -CAfile old.crt -key old.key -cert old.crt -www
(the default port being 4433) and run
lynx https://www.vinc17.net:4433/
I don't get any error.
No such problem with Iceweasel, which says:
Secure Connection Failed
An error occurred during a connection to www.vinc17.net:4433. Peer's
Certificate has been revoked. (Error code: sec_error_revoked_certificate)
With curl, I get:
$ curl --cert-status https://www.vinc17.net:4434/
curl: (91) Server certificate was revoked: unspecified reason
$ curl --cert-status https://www.vinc17.net:4433/
curl: (91) No OCSP response received
I wonder why curl doesn't get an OCSP response in the 4433 case,
but at least one gets an error.
-- System Information:
Debian Release: stretch/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.1.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lynx-cur depends on:
ii libbsd0 0.7.0-2
ii libbz2-1.0 1.0.6-8
ii libc6 2.19-19
ii libgnutls-deb0-28 3.3.17-1
ii libidn11 1.32-1
ii libncursesw5 5.9+20150516-2
ii libtinfo5 5.9+20150516-2
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages lynx-cur recommends:
ii mime-support 3.59
lynx-cur suggests no packages.
-- no debconf information
More information about the pkg-lynx-maint
mailing list