bug#16791: w3m fails to do any SSL certificate checking

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#16791: w3m fails to do any SSL certificate checking

From:	Leo Famulari
Subject:	bug#16791: w3m fails to do any SSL certificate checking
Date:	Mon, 4 Jan 2016 14:12:04 -0500
User-agent:	Mutt/1.5.24 (2015-08-30)

On Mon, Jan 04, 2016 at 01:19:32AM -0500, Leo Famulari wrote:
> On Sat, Jan 02, 2016 at 09:20:30PM -0500, Leo Famulari wrote:
> > I looked into how Debian does it. They bundle a configuration file that
> > sets the correct options.
> > 
> > If you download the "debian" file [0], which includes all of their
> > packaging for w3m, you can view the file at 'debian/w3mconfig'.
> > 
> > The relevant option is "ssl_verify_server", and it must be set to "1" in
> > order for w3m to perform verification.
> > 
> > Example with a domain whose certificate is expired:
> > $ w3m -o ssl_verify_server 1 fmrl.me
> > 
> > Do we ever bundle configuration files in this manner?
> > 
> > Can a wrapper set command-line variables?
> > 
> > I will investigate whether these options can be set at build time.
> > 
> > I don't think we should ship a browser in this state, even if users are
> > able to configure it properly after installation. w3m is used by other
> > programs like mutt to render html "under the hood".
> > 
> > [0]
> > http://http.debian.net/debian/pool/main/w/w3m/w3m_0.5.3-26.debian.tar.xz
> > 
> 
> This particular issue was resolved in October 2014 in this commit
> (tested):
> http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654
> 
> It looks like there is a lot of development activity happening within
> Debian, beyond simple packaging [0]. Even what seems to be the official
> SourceForge page seems to be tracking the Debian work [1].
> 
> The Debian developers are regularly issuing release tags but not release
> tarballs. I built from the latest one and it seems to work.
> 
> I think we should use the Debian repo as the source for our w3m package.
> What does everyone else think?

I wanted to "tighten" w3m's SSL configuration in general, and found that
the Debian developers have already disabled SSLv2 and SSLv3 [0] and some
insecure ciphers [1].

[0]
http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=05503271dfd26b843589dece0da35ba5d7d38654
http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=1aace42d026c7df31c4762ef1095ce83450916fc

[1]
http://anonscm.debian.org/cgit/collab-maint/w3m.git/commit/?id=3335b5e824eecf70055af985b12c60651787fbfc

> 
> [0]
> http://anonscm.debian.org/cgit/collab-maint/w3m.git/
> 
> [1]
> http://sourceforge.net/p/w3m/patches/71/
> 
> 
>

[Prev in Thread]

Current Thread

[Next in Thread]

bug#16791: w3m fails to do any SSL certificate checking, Leo Famulari, 2016/01/02
- bug#16791: w3m fails to do any SSL certificate checking, Leo Famulari, 2016/01/04
  - bug#16791: w3m fails to do any SSL certificate checking, Leo Famulari <=
  - bug#16791: w3m fails to do any SSL certificate checking, Ludovic Courtès, 2016/01/04
    - bug#16791: w3m fails to do any SSL certificate checking, Leo Famulari, 2016/01/05
    - bug#16791: w3m fails to do any SSL certificate checking, Leo Famulari, 2016/01/07

Prev by Date: bug#22304: Build for Julia is not reproducible
Next by Date: bug#16791: w3m fails to do any SSL certificate checking
Previous by thread: bug#16791: w3m fails to do any SSL certificate checking
Next by thread: bug#16791: w3m fails to do any SSL certificate checking
Index(es):
- Date
- Thread