[pkg-lynx-maint] Bug#795958: lynx-cur: certificate revocation checking is buggy
Alessandro Ghedini
ghedo at debian.org
Tue Aug 18 11:48:33 UTC 2015
On Tue, Aug 18, 2015 at 01:32:19pm +0200, Vincent Lefevre wrote:
> Package: lynx-cur
> Version: 2.8.9dev6-3
> Severity: serious
> Tags: security
>
> If I run
>
> lynx https://www.vinc17.net:4434/
>
> I get
>
> SSL error:The certificate is NOT trusted. The certificate chain is revoked.
> -Continue? (n)
>
> as expected. But If I set up a test server with the same certificate
> with:
>
> openssl s_server -CAfile old.crt -key old.key -cert old.crt -www
Try adding the "-status" option here.
I think the problem is that both lynx and curl only support OCSP stapling,
while firefox also does full-blown OCSP. So, if you don't enable OCSP stapling
in s_server (with the -status option), lynx and curl won't receive any response,
while firefox will also try to contact the CA's OCSP server and receive a
response from that.
It's more like lack of a feature than an actual bug (hardly RC material though,
IMO).
Hope this helps.
Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-lynx-maint/attachments/20150818/c6e48f6d/attachment.sig>
More information about the pkg-lynx-maint
mailing list