[pkg-lynx-maint] Bug#991971: lynx: SSL certificate validation fails with URLs containing user name or user name and password, i.e. https://user:password at host/ and https://user at host/

Axel Beckert abe at debian.org
Fri Aug 6 22:43:13 BST 2021 

Package: lynx
Version: 2.9.0dev.8-1
Severity: important
Tags: upstream, confirmed
Control: forwarded -1 https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
Control: found -1 2.8.9dev1-2+deb8u1
Control: found -1 2.8.9dev11-1
Control: found -1 2.8.9rel.1-3
Control: found -1 2.9.0dev.6-2

Thorsten Glaser reported the following on the upstream dev mailing list
at https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
(citing the parts that affect Debian, i.e. those when compiled against
GnuTLS and not OpenSSL):

> this affects both OpenSSL and Debian’s nonGNUtls builds:
> 
> lynx https://user:pass@host/
>
> … will lead to…
[…]
> SSL error:host(user:pass at host)!=cert(CN<mainhost>)-Continue? (n)
>
> … for nonGNUtls lynx.
> 
> Obviously, user:pass@ need to be stripped before comparing. The
> nonGNUtls version could also be changed to display the
> subjectAltName''s the certificate has like the OpenSSL one does (after
> my patch from ages ago; […]

https://user@host/ is affected as well.

I was able to reproduce this issue in Lynx in all currently (in some
way) supported releases of Debian back to Debian 8 Jessie with ELTS
support and also in the most recent version in Debian Experimental.

P.S. to Thorsten: Feel free to set yourself as submitter of this bug
report. ☺

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'testing-security'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages lynx depends on:
ii  libbsd0       0.11.3-1
ii  libbz2-1.0    1.0.8-4
ii  libc6         2.31-13
ii  libgnutls30   3.7.1-5
ii  libidn2-0     2.3.0-5
ii  libncursesw6  6.2+20201114-2
ii  libtinfo6     6.2+20201114-2
ii  lynx-common   2.9.0dev.6-2
ii  zlib1g        1:1.2.11.dfsg-2

Versions of packages lynx recommends:
ii  mime-support  3.66

lynx suggests no packages.

-- no debconf information

More information about the pkg-lynx-maint mailing list