GNU bug report logs - #16791
w3m fails to do any SSL certificate checking

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Tue, 18 Feb 2014 09:00:03 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: 16791 <at> debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Sat, 2 Jan 2016 21:20:30 -0500

I looked into how Debian does it. They bundle a configuration file that
sets the correct options.

If you download the "debian" file [0], which includes all of their
packaging for w3m, you can view the file at 'debian/w3mconfig'.

The relevant option is "ssl_verify_server", and it must be set to "1" in
order for w3m to perform verification.

Example with a domain whose certificate is expired:
$ w3m -o ssl_verify_server 1 fmrl.me

Do we ever bundle configuration files in this manner?

Can a wrapper set command-line variables?

I will investigate whether these options can be set at build time.

I don't think we should ship a browser in this state, even if users are
able to configure it properly after installation. w3m is used by other
programs like mutt to render html "under the hood".

[0]
http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz
This bug report was last modified 9 years and 162 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.