From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 18 03:59:42 2014 Received: (at submit) by debbugs.gnu.org; 18 Feb 2014 08:59:42 +0000 Received: from localhost ([127.0.0.1]:57577 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WFgWj-0007KF-TK for submit@debbugs.gnu.org; Tue, 18 Feb 2014 03:59:42 -0500 Received: from eggs.gnu.org ([208.118.235.92]:52187) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WFgWh-0007Jv-Iw for submit@debbugs.gnu.org; Tue, 18 Feb 2014 03:59:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WFgWS-0003oV-Tv for submit@debbugs.gnu.org; Tue, 18 Feb 2014 03:59:34 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_20 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:44678) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WFgWS-0003oR-Qx for submit@debbugs.gnu.org; Tue, 18 Feb 2014 03:59:24 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WFgWL-0003vP-Hl for bug-guix@gnu.org; Tue, 18 Feb 2014 03:59:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WFgWE-0003md-80 for bug-guix@gnu.org; Tue, 18 Feb 2014 03:59:17 -0500 Received: from world.peace.net ([96.39.62.75]:40056) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WFgWE-0003mZ-4o for bug-guix@gnu.org; Tue, 18 Feb 2014 03:59:10 -0500 Received: from 209-6-91-212.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com ([209.6.91.212] helo=yeeloong) by world.peace.net with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WFgW8-00014f-8b; Tue, 18 Feb 2014 03:59:04 -0500 From: Mark H Weaver To: bug-guix@gnu.org Subject: w3m fails to do any SSL certificate checking Date: Tue, 18 Feb 2014 03:58:21 -0500 Message-ID: <87ha7wol02.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL that uses a server certificate that is both self-signed and expired. To make matters worse, if I ask for page information (with the '=' key), it tells me that the certificate is valid. On Debian, both w3m and emacs-w3m inform me when an SSL certificate is invalid in some way, e.g. if it's expired or not signed by a certificate authority in my trust store. Mark From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 18 14:23:27 2014 Received: (at 16791) by debbugs.gnu.org; 18 Feb 2014 19:23:28 +0000 Received: from localhost ([127.0.0.1]:58901 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WFqGN-0003oi-Ap for submit@debbugs.gnu.org; Tue, 18 Feb 2014 14:23:27 -0500 Received: from moutng.kundenserver.de ([212.227.126.171]:54831) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WFqGJ-0003oK-W2 for 16791@debbugs.gnu.org; Tue, 18 Feb 2014 14:23:25 -0500 Received: from debian (aqu33-1-82-66-2-95.fbx.proxad.net [82.66.2.95]) by mrelayeu.kundenserver.de (node=mreue007) with ESMTP (Nemesis) id 0LwSjL-1XMCd71uwR-018Gqs; Tue, 18 Feb 2014 20:23:02 +0100 Date: Tue, 18 Feb 2014 20:23:00 +0100 From: Andreas Enge To: Mark H Weaver Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20140218192300.GA9840@debian> References: <87ha7wol02.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="r5Pyd7+fXNt84Ff3" Content-Disposition: inline In-Reply-To: <87ha7wol02.fsf@netris.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Provags-ID: V02:K0:CxiHjUQGwRV8MvvCdbfzmMV+n+KLAqYqJ7Lp5bO4BWz 2A0kX4ArJPASaO1jBD5XyYu8mBP4NAO7IkjXpxwfGXd8l3qGlX NCuXWcr/iyCB0Tx1cKU6W0H57nzMIQ7WgnvEeH9FgP6WsqrfTB oouY/mOa3g9sqKya82M2liNk4mytWOy8EmoJVbr0xoTc1S9VYx ILcvwuE94Mo7TAsmr8XhdrVA3UB6B8hqMDdBcVNHLEuIgdNgM9 Ib1ngUbFdYfCLANvODONaZRLbwmzeHN8vlg3/aPC/3qtzd6Eg6 A5CvDNqe9fbJKPLzIfUxt+QlHxLxFD9Kg8mUlE/JyqNMTsowQ= = X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 16791 Cc: 16791@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote: > In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL > that uses a server certificate that is both self-signed and expired. > To make matters worse, if I ask for page information (with the '=' key), > it tells me that the certificate is valid. > > On Debian, both w3m and emacs-w3m inform me when an SSL certificate is > invalid in some way, e.g. if it's expired or not signed by a certificate > authority in my trust store. w3m can be configured to not verify ssl certificates; but this is not the case for us. I checked that if the server presents a certificate for a different domain, there is a message: Bad cert ident xxx from yyy: accept? (y/n) However, the debian w3m asks whether a self-signed certificate should be accepted. Among the about 30 patches in debian for w3m, the name of only one is related to ssl; I am attaching it, but it does not seem related to our problem. Andreas --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="260_openssl.patch" Subject: OpenSSL issues Author: Cristian Rodriguez Origin: https://build.opensuse.org/request/show/141054 Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929 Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org - Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. (w3m-openssl.patch) - Use SSL_MODE_RELEASE_BUFFERS if available . --- w3m.orig/url.c +++ w3m/url.c @@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname, if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); + +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ #if 1 /* use SSL_get_verify_result() to verify cert */ --r5Pyd7+fXNt84Ff3-- From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 18 14:33:08 2014 Received: (at 16791) by debbugs.gnu.org; 18 Feb 2014 19:33:08 +0000 Received: from localhost ([127.0.0.1]:58924 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WFqPk-00047q-2y for submit@debbugs.gnu.org; Tue, 18 Feb 2014 14:33:08 -0500 Received: from moutng.kundenserver.de ([212.227.126.171]:55245) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WFqPh-00047H-W8 for 16791@debbugs.gnu.org; Tue, 18 Feb 2014 14:33:06 -0500 Received: from debian (aqu33-1-82-66-2-95.fbx.proxad.net [82.66.2.95]) by mrelayeu.kundenserver.de (node=mreue004) with ESMTP (Nemesis) id 0M05tI-1X9sP435Fk-00uEvF; Tue, 18 Feb 2014 20:32:47 +0100 Date: Tue, 18 Feb 2014 20:32:44 +0100 From: Andreas Enge To: Mark H Weaver Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20140218193244.GA10846@debian> References: <87ha7wol02.fsf@netris.org> <20140218192300.GA9840@debian> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140218192300.GA9840@debian> User-Agent: Mutt/1.5.21 (2010-09-15) X-Provags-ID: V02:K0:Z00ZB0NS7A1cNLz3ZBZXD+CCV7pbm/0NJj1lVhD9qrk SpuCGyjg1Yu4zk57CPzgeEn4QIAXfTBmzknKo+1LIwvKvg1ZCy 69fvGo41hYhNk/NF35q53arP3F7j8ihRtisb/oJRnMBkIGBgPB Ta78IPO9523NPsbOf0vYXP7Ru32SBYw43B4muKhTFedHhpQ2jl wI1AICDImM5J238mwOkw2Mmht1SjTMrzOmZc4+M3G2JcVV9jwg OmndsPJpOAuqXLBNKJrUMJREqYA+nOPBjywj0IIe0NnVIo+JXv HkvQR/2NhflxgAE1NE3cMmvAZtFL6BV2acB7sWWDjSF8SS74Q= = X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 16791 Cc: 16791@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) I wondered whether the problem lied in our openssl. It does not seem so. "openssl verify cert.pem" on my problematic certificate does print as expected: error 18 at 0 depth lookup:self signed certificate error 10 at 0 depth lookup:certificate has expired Andreas From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 16 15:41:06 2014 Received: (at control) by debbugs.gnu.org; 16 Mar 2014 19:41:06 +0000 Received: from localhost ([127.0.0.1]:38395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WPGvi-00007r-3j for submit@debbugs.gnu.org; Sun, 16 Mar 2014 15:41:06 -0400 Received: from world.peace.net ([96.39.62.75]:57681) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WPGvf-00007i-Nb for control@debbugs.gnu.org; Sun, 16 Mar 2014 15:41:04 -0400 Received: from turntable.mit.edu ([18.160.0.29] helo=yeeloong.lan) by world.peace.net with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1WPGvY-00026Q-W3; Sun, 16 Mar 2014 15:40:57 -0400 From: Mark H Weaver To: control@debbugs.gnu.org Date: Sun, 16 Mar 2014 15:40:25 -0400 Message-ID: <87y50a3pau.fsf@yeeloong.lan> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: severity 16791 serious thanks [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: severity 16791 serious thanks [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject severity 16791 serious thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Jan 02 21:20:39 2016 Received: (at 16791) by debbugs.gnu.org; 3 Jan 2016 02:20:39 +0000 Received: from localhost ([127.0.0.1]:35740 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aFYHf-0002Sv-0G for submit@debbugs.gnu.org; Sat, 02 Jan 2016 21:20:39 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:53102) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aFYHc-0002Sn-V9 for 16791@debbugs.gnu.org; Sat, 02 Jan 2016 21:20:38 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id E5858203A8; Sat, 2 Jan 2016 21:20:34 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute1.internal (MEProxy); Sat, 02 Jan 2016 21:20:34 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:message-id:mime-version:subject:to :x-sasl-enc:x-sasl-enc; s=mesmtp; bh=TK9x50wHJQluNO3iOt7dAE+nNDU =; b=0kjCm341DqAXZ0nCSZIO5olmaIdwiPjp7D7oI1gjZWJoN+NP05JuoKyIBcO OLGUeWtFK5NWsQLOj0NPWV18ckbJYr8NRXGQPjxR65OiOn+yfnVOASnazsObx1Kp yOxTROj6+gBhVcGW44j7aOZZY5QVPtwUORsuym9oypbJvz38= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=TK 9x50wHJQluNO3iOt7dAE+nNDU=; b=t0OygWHb4v9+H4jbZqVaXtAZ2v1t66viT1 94nNrOK0QC5cZDWs8+HjZGisBvkNQ47vMHgyIBSoQl+Anasj31QA7W4QGkpfo7TG v9ljT14l15VSXaPcM27qrGTu8m06ceroyzlAS0TUZtv8z7NOxmYyNoom8fj5DpoX mslQ4fHj4= X-Sasl-enc: LGGiPnxnPEIQQ9sCApdoG4eI8EcQ2/PJTdQsqFiw4PzY 1451787634 Received: from localhost (unknown [172.56.2.45]) by mail.messagingengine.com (Postfix) with ESMTPA id 8623BC016C4 for <16791@debbugs.gnu.org>; Sat, 2 Jan 2016 21:20:34 -0500 (EST) Date: Sat, 2 Jan 2016 21:20:30 -0500 From: Leo Famulari To: 16791@debbugs.gnu.org Subject: Re: w3m fails to do any SSL certificate checking Message-ID: <20160103022030.GA16788@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16791 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) I looked into how Debian does it. They bundle a configuration file that sets the correct options. If you download the "debian" file [0], which includes all of their packaging for w3m, you can view the file at 'debian/w3mconfig'. The relevant option is "ssl_verify_server", and it must be set to "1" in order for w3m to perform verification. Example with a domain whose certificate is expired: $ w3m -o ssl_verify_server 1 fmrl.me Do we ever bundle configuration files in this manner? Can a wrapper set command-line variables? I will investigate whether these options can be set at build time. I don't think we should ship a browser in this state, even if users are able to configure it properly after installation. w3m is used by other programs like mutt to render html "under the hood". [0] http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 04 01:19:43 2016 Received: (at 16791) by debbugs.gnu.org; 4 Jan 2016 06:19:43 +0000 Received: from localhost ([127.0.0.1]:37079 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aFyUZ-0005TS-4S for submit@debbugs.gnu.org; Mon, 04 Jan 2016 01:19:43 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:59242) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aFyUX-0005TI-KU for 16791@debbugs.gnu.org; Mon, 04 Jan 2016 01:19:42 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 33AEA20712; Mon, 4 Jan 2016 01:19:41 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute6.internal (MEProxy); Mon, 04 Jan 2016 01:19:41 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=bJ2te UsFK6fIPadbi1WbxTLYsjs=; b=uaKAoHWBnlHbVD4ESQIVqtlyJB22VqndgNoW5 IZdhsEt/5PFoeQU68BKo+LMoTAXpfTUWPAgetPTp75POfq7ZAarhQA0fz+r7rZtp NmvFd8TdPbyth7eJjWSJbQJ4uLnaLam7IlNTpSK14wwD8x5ps/JMLZbXdTLAFuwj Q0To7c= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=bJ2teUsFK6fIPadbi1WbxTLYsjs=; b=fRQPQ zXwCfsZp3d+5pJskyiDBSq8bbwOEXFldNmpNev23kfTvIybMGwhquzTq5/ouFyYU RQVgtTuc9pzuMnd1shySKJls0VhGjkW5kvpdWLIzicIW+lBh7AXm72nwss4235NT b4UqUb2tJmdOW+MYc1NVdmwTr25yTQ8unxs7kc= X-Sasl-enc: FqGedNaY3e6AtReEkWXTQzS88zXka1CzY7tMzf4Lhq01 1451888380 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id E0A6D68015A for <16791@debbugs.gnu.org>; Mon, 4 Jan 2016 01:19:40 -0500 (EST) Date: Mon, 4 Jan 2016 01:19:32 -0500 From: Leo Famulari To: 16791@debbugs.gnu.org Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20160104061932.GA4210@jasmine> References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160103022030.GA16788@jasmine> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16791 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote: > I looked into how Debian does it. They bundle a configuration file that > sets the correct options. > > If you download the "debian" file [0], which includes all of their > packaging for w3m, you can view the file at 'debian/w3mconfig'. > > The relevant option is "ssl_verify_server", and it must be set to "1" in > order for w3m to perform verification. > > Example with a domain whose certificate is expired: > $ w3m -o ssl_verify_server 1 fmrl.me > > Do we ever bundle configuration files in this manner? > > Can a wrapper set command-line variables? > > I will investigate whether these options can be set at build time. > > I don't think we should ship a browser in this state, even if users are > able to configure it properly after installation. w3m is used by other > programs like mutt to render html "under the hood". > > [0] > http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz > This particular issue was resolved in October 2014 in this commit (tested): http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654 It looks like there is a lot of development activity happening within Debian, beyond simple packaging [0]. Even what seems to be the official SourceForge page seems to be tracking the Debian work [1]. The Debian developers are regularly issuing release tags but not release tarballs. I built from the latest one and it seems to work. I think we should use the Debian repo as the source for our w3m package. What does everyone else think? [0] http://anonscm.debian.org/cgit/collab-maint/w3m.git/ [1] http://sourceforge.net/p/w3m/patches/71/ From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 04 14:12:07 2016 Received: (at 16791) by debbugs.gnu.org; 4 Jan 2016 19:12:07 +0000 Received: from localhost ([127.0.0.1]:37855 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGAY2-0002LQ-Q9 for submit@debbugs.gnu.org; Mon, 04 Jan 2016 14:12:07 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:50759) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGAY0-0002LH-LF for 16791@debbugs.gnu.org; Mon, 04 Jan 2016 14:12:05 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 5F9D6207D5; Mon, 4 Jan 2016 14:12:04 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Mon, 04 Jan 2016 14:12:04 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=KTnN5 66aimfFLtwEtRjBSU7+dtQ=; b=0P+QKwnlwq+Fla0k3XOi2rsn2mZuB/pWV8M+g npzgVLdNAREOO5A+rENdL7+1fq5shFe7+i9V1LWGY1mQ1QF0hS6KgL1V9oAzDwr5 VOaqzj4iS7mgB5GacV3ctERfFP0953RoKKuizuFOe5Jq04sgrjbVURgtPLM8l49t 4EyFAM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=KTnN566aimfFLtwEtRjBSU7+dtQ=; b=jwTPK BTLG0zhulzWq3Y159m9UJR/A4pfJAYzEXAM5MvU09D57ZWJBZDj3gAvzp/P0XDyR x9drh0vI9MLBH2TRZI5tX3UppHadG+3dYB4I9f+kMhEFXIuedukr14XXvh/4QQcY PoM7q1z3F4NtEwqhuSI78n90j/iKlzsmIpBkVU= X-Sasl-enc: x7vxaH0zCIChyk1IFNKsVWIq8BaA74dfnv9XsHLgfBkq 1451934724 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 1C232C016DA for <16791@debbugs.gnu.org>; Mon, 4 Jan 2016 14:12:04 -0500 (EST) Date: Mon, 4 Jan 2016 14:12:04 -0500 From: Leo Famulari To: 16791@debbugs.gnu.org Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20160104191204.GB26142@jasmine> References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> <20160104061932.GA4210@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160104061932.GA4210@jasmine> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16791 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Mon, Jan 04, 2016 at 01:19:32AM -0500, Leo Famulari wrote: > On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote: > > I looked into how Debian does it. They bundle a configuration file that > > sets the correct options. > > > > If you download the "debian" file [0], which includes all of their > > packaging for w3m, you can view the file at 'debian/w3mconfig'. > > > > The relevant option is "ssl_verify_server", and it must be set to "1" in > > order for w3m to perform verification. > > > > Example with a domain whose certificate is expired: > > $ w3m -o ssl_verify_server 1 fmrl.me > > > > Do we ever bundle configuration files in this manner? > > > > Can a wrapper set command-line variables? > > > > I will investigate whether these options can be set at build time. > > > > I don't think we should ship a browser in this state, even if users are > > able to configure it properly after installation. w3m is used by other > > programs like mutt to render html "under the hood". > > > > [0] > > http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz > > > > This particular issue was resolved in October 2014 in this commit > (tested): > http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654 > > It looks like there is a lot of development activity happening within > Debian, beyond simple packaging [0]. Even what seems to be the official > SourceForge page seems to be tracking the Debian work [1]. > > The Debian developers are regularly issuing release tags but not release > tarballs. I built from the latest one and it seems to work. > > I think we should use the Debian repo as the source for our w3m package. > What does everyone else think? I wanted to "tighten" w3m's SSL configuration in general, and found that the Debian developers have already disabled SSLv2 and SSLv3 [0] and some insecure ciphers [1]. [0] http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654 http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=1aace42d026c7df31c4762ef1095ce83450916fc [1] http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=3335b5e824eecf70055af985b12c60651787fbfc > > [0] > http://anonscm.debian.org/cgit/collab-maint/w3m.git/ > > [1] > http://sourceforge.net/p/w3m/patches/71/ > > > From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 04 18:36:11 2016 Received: (at 16791) by debbugs.gnu.org; 4 Jan 2016 23:36:11 +0000 Received: from localhost ([127.0.0.1]:37969 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGEfb-00006v-HO for submit@debbugs.gnu.org; Mon, 04 Jan 2016 18:36:11 -0500 Received: from eggs.gnu.org ([208.118.235.92]:41051) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGEfZ-00006g-PW for 16791@debbugs.gnu.org; Mon, 04 Jan 2016 18:36:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aGEfQ-0002pL-GJ for 16791@debbugs.gnu.org; Mon, 04 Jan 2016 18:36:04 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41405) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aGEfQ-0002pH-Cc; Mon, 04 Jan 2016 18:36:00 -0500 Received: from reverse-83.fdn.fr ([80.67.176.83]:50158 helo=pluto) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1aGEfP-0007WY-Ls; Mon, 04 Jan 2016 18:36:00 -0500 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: bug#16791: w3m fails to do any SSL certificate checking References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> <20160104061932.GA4210@jasmine> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 =?utf-8?Q?Niv=C3=B4se?= an 224 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x3D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-unknown-linux-gnu Date: Tue, 05 Jan 2016 00:35:57 +0100 In-Reply-To: <20160104061932.GA4210@jasmine> (Leo Famulari's message of "Mon, 4 Jan 2016 01:19:32 -0500") Message-ID: <87y4c4x6hu.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 16791 Cc: 16791@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Leo Famulari skribis: > On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote: >> I looked into how Debian does it. They bundle a configuration file that >> sets the correct options. >>=20 >> If you download the "debian" file [0], which includes all of their >> packaging for w3m, you can view the file at 'debian/w3mconfig'. >>=20 >> The relevant option is "ssl_verify_server", and it must be set to "1" in >> order for w3m to perform verification. >>=20 >> Example with a domain whose certificate is expired: >> $ w3m -o ssl_verify_server 1 fmrl.me >>=20 >> Do we ever bundle configuration files in this manner? >>=20 >> Can a wrapper set command-line variables? >>=20 >> I will investigate whether these options can be set at build time. >>=20 >> I don't think we should ship a browser in this state, even if users are >> able to configure it properly after installation. w3m is used by other >> programs like mutt to render html "under the hood". >>=20 >> [0] >> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz >>=20 > > This particular issue was resolved in October 2014 in this commit > (tested): > http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=3D05503271= dfd26b843589dece0da35ba5d7d38654 Looks like applying this patch would fix the bug right away, right? > It looks like there is a lot of development activity happening within > Debian, beyond simple packaging [0]. Even what seems to be the official > SourceForge page seems to be tracking the Debian work [1]. > > The Debian developers are regularly issuing release tags but not release > tarballs. I built from the latest one and it seems to work. > > I think we should use the Debian repo as the source for our w3m package. > What does everyone else think? Unless upstream is really dead, we should track it. I think it=E2=80=99s n= ot the distro=E2=80=99s job to do non-trivial development. What about using the latest upstream tarball, along with the patch above and probably the one that disables SSLv{2,3}? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 05 11:32:18 2016 Received: (at 16791) by debbugs.gnu.org; 5 Jan 2016 16:32:18 +0000 Received: from localhost ([127.0.0.1]:38991 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGUWv-0007Y4-WA for submit@debbugs.gnu.org; Tue, 05 Jan 2016 11:32:18 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:36412) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aGUWt-0007Xv-C9 for 16791@debbugs.gnu.org; Tue, 05 Jan 2016 11:32:16 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id CF5F620A20; Tue, 5 Jan 2016 11:32:14 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute6.internal (MEProxy); Tue, 05 Jan 2016 11:32:14 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=B56qp8Dol9WH330cOtcQcyWXU4g=; b=XIrcqD CGMVLOERj5iJcLsea/0TnDV/bl/C6YaYFiJ5B7z+TQnKUpNeKJLpFK6M5glqOTnZ 7mUJqDYzEWzaMzc38/J0307yORlwCCJnizUDJx71wAIXavMg61S2CGe2BFdxCboA X5NatQCC6wc8FJz7DJBUmbeSYly7y3mxSQjgk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=B56qp8Dol9WH330 cOtcQcyWXU4g=; b=QEzGM1V4D/QT3+RDVLraEMXKQ5ZAQIbLURl1GVe34R+GLeV z07LXGmYllkZp7noCop2StWKsr8Em11xDK7Jkkxg/QWbkVz4jxqI2k/+U3+30zAM jtoOiwRVaAKlgg3Gp0vC0Dm739mgkxZHS5pdCp38tD3X1QQlMgvljQLXTcZo= X-Sasl-enc: g/bG7YjzC+rny6q08IO5PrAnfbO3SftrBYqJAsjO7dyX 1452011534 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 76633680103; Tue, 5 Jan 2016 11:32:14 -0500 (EST) Date: Tue, 5 Jan 2016 11:32:14 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20160105163214.GA23764@jasmine> References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> <20160104061932.GA4210@jasmine> <87y4c4x6hu.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87y4c4x6hu.fsf@gnu.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16791 Cc: 16791@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Tue, Jan 05, 2016 at 12:35:57AM +0100, Ludovic Courtès wrote: > Leo Famulari skribis: > > > On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote: > >> I looked into how Debian does it. They bundle a configuration file that > >> sets the correct options. > >> > >> If you download the "debian" file [0], which includes all of their > >> packaging for w3m, you can view the file at 'debian/w3mconfig'. > >> > >> The relevant option is "ssl_verify_server", and it must be set to "1" in > >> order for w3m to perform verification. > >> > >> Example with a domain whose certificate is expired: > >> $ w3m -o ssl_verify_server 1 fmrl.me > >> > >> Do we ever bundle configuration files in this manner? > >> > >> Can a wrapper set command-line variables? > >> > >> I will investigate whether these options can be set at build time. > >> > >> I don't think we should ship a browser in this state, even if users are > >> able to configure it properly after installation. w3m is used by other > >> programs like mutt to render html "under the hood". > >> > >> [0] > >> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz > >> > > > > This particular issue was resolved in October 2014 in this commit > > (tested): > > http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654 > > Looks like applying this patch would fix the bug right away, right? > > > It looks like there is a lot of development activity happening within > > Debian, beyond simple packaging [0]. Even what seems to be the official > > SourceForge page seems to be tracking the Debian work [1]. > > > > The Debian developers are regularly issuing release tags but not release > > tarballs. I built from the latest one and it seems to work. > > > > I think we should use the Debian repo as the source for our w3m package. > > What does everyone else think? > > Unless upstream is really dead, we should track it. I think it’s not > the distro’s job to do non-trivial development. I'm trying to reach the people that used to work on w3m to ask if they are still active or if they have abandoned it. They haven't been around in ~4 years from what I have seen. > > What about using the latest upstream tarball, along with the patch > above and probably the one that disables SSLv{2,3}? I'll try that. > > Thanks, > Ludo’. From debbugs-submit-bounces@debbugs.gnu.org Thu Jan 07 23:55:20 2016 Received: (at 16791) by debbugs.gnu.org; 8 Jan 2016 04:55:20 +0000 Received: from localhost ([127.0.0.1]:42141 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aHP55-0000Cm-Pq for submit@debbugs.gnu.org; Thu, 07 Jan 2016 23:55:20 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:39305) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aHP50-0000Ca-2G for 16791@debbugs.gnu.org; Thu, 07 Jan 2016 23:55:17 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id A69AB20A9C for <16791@debbugs.gnu.org>; Thu, 7 Jan 2016 23:55:13 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Thu, 07 Jan 2016 23:55:13 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=gwVhrAl1DfhWdetX1VhqYfggYL8=; b=w9SxRy JKC/aBH/zldBuwmpxDXRTbSOEVxADmw4au/f4PnpE9e62Cm2Q1fvBsHXygnzL2Xn 7tbZ+pBDnXdmomKzjE6zHirkSXc3zy34AQt4bNOf/56iy5VEsX3jW+OO39Ft5yAN hXFypdUIHGE3wGAcAMSPwHqP/LaoGQ+i0cqSk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=gwVhrAl1DfhWdet X1VhqYfggYL8=; b=fe0/1/eUMc2MISC6CDNdvSh8/kcGxF+fKzHmepbWBq8Bvu8 4PJQ5rrieG59dSuOi9et6rG3ZN1umYw8P9srQ/kI3+AqVV9jSm02DCuoloLIJCAQ 8+TbYH5jiN2eqKOl+IVZjy07BVuDhKHEQBN68d8fZAQxLlQ98NK0dU8t/qgY= X-Sasl-enc: 25pM+pYhNus9bGTul9BkvPhsiVSVwoRPQ9tlH+Qc7n2L 1452228913 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 588AB68015F; Thu, 7 Jan 2016 23:55:13 -0500 (EST) Date: Thu, 7 Jan 2016 23:55:12 -0500 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20160108045512.GA30445@jasmine> References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> <20160104061932.GA4210@jasmine> <87y4c4x6hu.fsf@gnu.org> <20160105163214.GA23764@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20160105163214.GA23764@jasmine> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16791 Cc: mhw@netris.org, 16791@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Tue, Jan 05, 2016 at 11:32:14AM -0500, Leo Famulari wrote: > On Tue, Jan 05, 2016 at 12:35:57AM +0100, Ludovic Courtès wrote: > > Leo Famulari skribis: > > > > > On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote: > > >> I looked into how Debian does it. They bundle a configuration file that > > >> sets the correct options. > > >> > > >> If you download the "debian" file [0], which includes all of their > > >> packaging for w3m, you can view the file at 'debian/w3mconfig'. > > >> > > >> The relevant option is "ssl_verify_server", and it must be set to "1" in > > >> order for w3m to perform verification. > > >> > > >> Example with a domain whose certificate is expired: > > >> $ w3m -o ssl_verify_server 1 fmrl.me > > >> > > >> Do we ever bundle configuration files in this manner? > > >> > > >> Can a wrapper set command-line variables? > > >> > > >> I will investigate whether these options can be set at build time. > > >> > > >> I don't think we should ship a browser in this state, even if users are > > >> able to configure it properly after installation. w3m is used by other > > >> programs like mutt to render html "under the hood". > > >> > > >> [0] > > >> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz > > >> > > > > > > This particular issue was resolved in October 2014 in this commit > > > (tested): > > > http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654 > > > > Looks like applying this patch would fix the bug right away, right? > > > > > It looks like there is a lot of development activity happening within > > > Debian, beyond simple packaging [0]. Even what seems to be the official > > > SourceForge page seems to be tracking the Debian work [1]. > > > > > > The Debian developers are regularly issuing release tags but not release > > > tarballs. I built from the latest one and it seems to work. > > > > > > I think we should use the Debian repo as the source for our w3m package. > > > What does everyone else think? > > > > Unless upstream is really dead, we should track it. I think it’s not > > the distro’s job to do non-trivial development. > > I'm trying to reach the people that used to work on w3m to ask if they > are still active or if they have abandoned it. They haven't been around > in ~4 years from what I have seen. > > > > > What about using the latest upstream tarball, along with the patch > > above and probably the one that disables SSLv{2,3}? > > I'll try that. Mark, can you check if commit 62339e2d49 fixes this bug for you? > > > > > Thanks, > > Ludo’. > > > From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 10 16:16:41 2016 Received: (at 16791-done) by debbugs.gnu.org; 10 Feb 2016 21:16:41 +0000 Received: from localhost ([127.0.0.1]:35395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aTc7t-0003wS-7k for submit@debbugs.gnu.org; Wed, 10 Feb 2016 16:16:41 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:42242) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aTc7r-0003ur-RT for 16791-done@debbugs.gnu.org; Wed, 10 Feb 2016 16:16:40 -0500 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 8E49421E0D; Wed, 10 Feb 2016 16:16:39 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Wed, 10 Feb 2016 16:16:39 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=famulari.name; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=0INnyV3LmUZ/+3Qax1bwv6KJxq0=; b=OIyRQl NVVBKMk7vvIK3w7yuvrHMs59745+7NEVb26PSGRiEY3UvaN9kAEQ2re9ydUMdSgp BFxDUZ+Fh7LvuIkB+DyK/VbFE2rB9aF+FLlaFLCmav3ejBCn9e446U2oQye4wmax GeiZlceOU+L2/AVdB+DAwt4zmOgLFndi2NzTg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=0INnyV3LmUZ/+3Q ax1bwv6KJxq0=; b=L5jycIAQmRVBSfmg52RW5iBUnS7WASuldDvRSnxAOEMeieJ zemI527NffYH38FAIuC8Jlu3t3SQZo7+Sq1emsy5texAFiwnNDaQtI/xL816TfIg 9OLGlUL2SUdmclO8Qyq5c3cfGs83I0tqF6QNATlbb6pBMjdIhM3j+xvXmRBo= X-Sasl-enc: xBBHmD62JgTskAANk2+7VDN1b3pjbihzxZpDDtZ9ixHS 1455138999 Received: from localhost (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id 4029BC0001A for <16791-done@debbugs.gnu.org>; Wed, 10 Feb 2016 16:16:39 -0500 (EST) Date: Wed, 10 Feb 2016 16:16:41 -0500 From: Leo Famulari To: 16791-done@debbugs.gnu.org Subject: Re: bug#16791: w3m fails to do any SSL certificate checking Message-ID: <20160210211641.GA28843@jasmine> References: <87ha7wol02.fsf@netris.org> <20160103022030.GA16788@jasmine> <20160104061932.GA4210@jasmine> <87y4c4x6hu.fsf@gnu.org> <20160105163214.GA23764@jasmine> <20160108045512.GA30445@jasmine> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20160108045512.GA30445@jasmine> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 16791-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) On Thu, Jan 07, 2016 at 11:55:12PM -0500, Leo Famulari wrote: > On Tue, Jan 05, 2016 at 11:32:14AM -0500, Leo Famulari wrote: > > On Tue, Jan 05, 2016 at 12:35:57AM +0100, Ludovic Courtès wrote: [...] > > > What about using the latest upstream tarball, along with the patch > > > above and probably the one that disables SSLv{2,3}? > > > > I'll try that. > > Mark, can you check if commit 62339e2d49 fixes this bug for you? I believe this bug is fixed. Please re-open if that is not the case. From unknown Sat Aug 16 21:58:54 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 10 Mar 2016 12:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator