GNU bug report logs - #16791
w3m fails to do any SSL certificate checking

Previous Next

Package: guix;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Tue, 18 Feb 2014 09:00:03 UTC

Severity: serious

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Andreas Enge <andreas <at> enge.fr>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 16791 <at> debbugs.gnu.org
Subject: bug#16791: w3m fails to do any SSL certificate checking
Date: Tue, 18 Feb 2014 20:23:00 +0100

[Message part 1 (text/plain, inline)]
On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote:
> In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL
> that uses a server certificate that is both self-signed and expired.
> To make matters worse, if I ask for page information (with the '=' key),
> it tells me that the certificate is valid.
> 
> On Debian, both w3m and emacs-w3m inform me when an SSL certificate is
> invalid in some way, e.g. if it's expired or not signed by a certificate
> authority in my trust store.

w3m can be configured to not verify ssl certificates; but this is not the
case for us. I checked that if the server presents a certificate for a
different domain, there is a message:
   Bad cert ident xxx from yyy: accept? (y/n)

However, the debian w3m asks whether a self-signed certificate should be
accepted. Among the about 30 patches in debian for w3m, the name of only one
is related to ssl; I am attaching it, but it does not seem related to our
problem.

Andreas


[260_openssl.patch (text/plain, attachment)]
This bug report was last modified 9 years and 162 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.