GNU bug report logs - #16791
w3m fails to do any SSL certificate checking

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Tue, 18 Feb 2014 09:00:03 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 16791 <at> debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Tue, 05 Jan 2016 00:35:57 +0100

Leo Famulari <leo <at> famulari.name> skribis:

> On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote:
>> I looked into how Debian does it. They bundle a configuration file that
>> sets the correct options.
>> 
>> If you download the "debian" file [0], which includes all of their
>> packaging for w3m, you can view the file at 'debian/w3mconfig'.
>> 
>> The relevant option is "ssl_verify_server", and it must be set to "1" in
>> order for w3m to perform verification.
>> 
>> Example with a domain whose certificate is expired:
>> $ w3m -o ssl_verify_server 1 fmrl.me
>> 
>> Do we ever bundle configuration files in this manner?
>> 
>> Can a wrapper set command-line variables?
>> 
>> I will investigate whether these options can be set at build time.
>> 
>> I don't think we should ship a browser in this state, even if users are
>> able to configure it properly after installation. w3m is used by other
>> programs like mutt to render html "under the hood".
>> 
>> [0]
>> http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz
>> 
>
> This particular issue was resolved in October 2014 in this commit
> (tested):
> http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654

Looks like applying this patch would fix the bug right away, right?

> It looks like there is a lot of development activity happening within
> Debian, beyond simple packaging [0]. Even what seems to be the official
> SourceForge page seems to be tracking the Debian work [1].
>
> The Debian developers are regularly issuing release tags but not release
> tarballs. I built from the latest one and it seems to work.
>
> I think we should use the Debian repo as the source for our w3m package.
> What does everyone else think?

Unless upstream is really dead, we should track it.  I think it’s not
the distro’s job to do non-trivial development.

What about using the latest upstream tarball, along with the patch
above and probably the one that disables SSLv{2,3}?

Thanks,
Ludo’.
This bug report was last modified 9 years and 161 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.