FS#57747 - [elinks] does not verify the authenticity of SSL certificates
Attached to Project:
Community Packages
Opened by Martin (greencopper) - Wednesday, 07 March 2018, 21:19 GMT
Last edited by Alad Wenter (Alad) - Sunday, 06 January 2019, 18:42 GMT
Opened by Martin (greencopper) - Wednesday, 07 March 2018, 21:19 GMT
Last edited by Alad Wenter (Alad) - Sunday, 06 January 2019, 18:42 GMT
|
Details
Description:
As mentioned in a repport on the OpenBSD mailing list, Elinks doesn't verify server certificate when connecting to HTTPS websites. This behavior doesn't comply with section 3.2 of IETF RFC5280: Certification Paths and Trust. https://marc.info/?l=elinks-dev&m=148896031830582&w=2 I have tested and verified the issue with elinks in Arch Linux. To protect users against malicious websites using fake certificates and potential man-in-the-middle attacks, certificate verification has to be enabled by default. Additional info: elinks 0.13-19 Steps to reproduce: 1. Create a self signed certificate. $ openssl genrsa -out ./privkey.pem 2048 $ openssl req -new -sha256 -days 1 -subj '/CN=localhost' -x509 -key ./privkey.pem -out cert.crt 2. Serve a test page for the self signed certificate. $ openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www Openssl test server will listen on 0.0.0.0:4433, accepting HTTP requests. 3. Open another terminal and use Elinks to connect to the test server. $ elinks https://localhost:4433/ 4. Elinks will happily connect to the test server without notifying users about invalid or self signed certificate. Refer to the behavior of another browsers when connecting to the test server as comparison. |
This task depends upon
Closed by Alad Wenter (Alad)
Sunday, 06 January 2019, 18:42 GMT
Reason for closing: Fixed
Additional comments about closing: https://git.archlinux.org/svntogit/commu nity.git/commit/?id=ba5a400b10e5976fca9c c2b7597dca5b6d5b3f21
Sunday, 06 January 2019, 18:42 GMT
Reason for closing: Fixed
Additional comments about closing: https://git.archlinux.org/svntogit/commu nity.git/commit/?id=ba5a400b10e5976fca9c c2b7597dca5b6d5b3f21