[pkg-lynx-maint] Bug#795958: lynx-cur: certificate revocation checking is buggy

Alessandro Ghedini ghedo at debian.org
Tue Aug 18 11:48:33 UTC 2015


On Tue, Aug 18, 2015 at 01:32:19pm +0200, Vincent Lefevre wrote:
> Package: lynx-cur
> Version: 2.8.9dev6-3
> Severity: serious
> Tags: security
> 
> If I run
> 
>   lynx https://www.vinc17.net:4434/
> 
> I get
> 
>   SSL error:The certificate is NOT trusted. The certificate chain is revoked.
>   -Continue? (n) 
> 
> as expected. But If I set up a test server with the same certificate
> with:
> 
>   openssl s_server -CAfile old.crt -key old.key -cert old.crt -www

Try adding the "-status" option here.

I think the problem is that both lynx and curl only support OCSP stapling,
while firefox also does full-blown OCSP. So, if you don't enable OCSP stapling
in s_server (with the -status option), lynx and curl won't receive any response,
while firefox will also try to contact the CA's OCSP server and receive a
response from that.

It's more like lack of a feature than an actual bug (hardly RC material though,
IMO).

Hope this helps.

Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-lynx-maint/attachments/20150818/c6e48f6d/attachment.sig>


More information about the pkg-lynx-maint mailing list