Arch Linux

Description:

As mentioned in a repport on the OpenBSD mailing list, Elinks doesn't verify server certificate when connecting to HTTPS websites. This behavior doesn't comply with section 3.2 of IETF RFC5280: Certification Paths and Trust.

https://marc.info/?l=elinks-dev&m=148896031830582&w=2

I have tested and verified the issue with elinks in Arch Linux.

To protect users against malicious websites using fake certificates and potential man-in-the-middle attacks, certificate verification has to be enabled by default.

Additional info:

elinks 0.13-19

Steps to reproduce:

1. Create a self signed certificate.

$ openssl genrsa -out ./privkey.pem 2048
$ openssl req -new -sha256 -days 1 -subj '/CN=localhost' -x509 -key ./privkey.pem -out cert.crt

2. Serve a test page for the self signed certificate.

$ openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www

Openssl test server will listen on 0.0.0.0:4433, accepting HTTP
requests.

3. Open another terminal and use Elinks to connect to the test server.

$ elinks https://localhost:4433/

4. Elinks will happily connect to the test server without notifying
users about invalid or self signed certificate. Refer to the behavior of
another browsers when connecting to the test server as comparison.