lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] Update for HTTPS handling

From: Thomas E. Dickey
Subject: Re: [Lynx-dev] Update for HTTPS handling
Date: Thu, 08 Nov 2012 05:30:29 -0500
User-agent: Mutt/1.5.20 (2009-06-14) 
On Wed, Nov 07, 2012 at 05:50:22PM -0600, Jamie Strandboge wrote:
> Hi,
> 
> I was reviewing CVE-2012-5821[1] and the associated paper[2] and noticed
> that a change was made to lynx 2.8.8dev.13 based on feedback from one of
> the authors of the paper. The change seems to be the addition of the
> following right before the call to gnutls_certificate_verify_peers2():
>     gnutls_certificate_set_verify_flags(handle->gnutls_cred,
>                                     GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
>                                     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
> 
> gnutls 3 will use GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT by default, but
> gnutls 2 seems to not not, so setting this explicitly makes sense.
> 
> However, this is not enough to prompt for self-signed certificates. Per
> docs/README.sslcerts, lynx is suppose to prompt on self-signed
> certificates, but it will happily accept them so long as it otherwise is
> valid and the hostname checks don't fail. The problem occurs here:
> 
> ret = gnutls_certificate_verify_peers2(handle->gnutls_state, \
>                                        &tls_status);
> if (ret < 0) {
> ...
> 
> gnutls_certificate_verify_peers2() is returning '0' with a self-signed
> certificate, but it does still set GNUTLS_CERT_SIGNER_NOT_FOUND.
> Attached is a patch that prompts on a self-signed certificate and
> removes the redundant 2nd check for GNUTLS_CERT_SIGNER_NOT_FOUND. This
> patch is against 2.8.8dev.12 (so it includes the additional call to
> gnutls_certificate_set_verify_flags()) and is lightly tested. I'd
> appreciate any feedback you might have.

I see - via
        ./lib/gnutls_cert.c:gnutls_certificate_verify_peers2 ->
        ./lib/gnutls_x509.c:_gnutls_x509_cert_verify_peers ->
        ./lib/gnutls_x509.c:gnutls_x509_crt_list_verify ->
        ./lib/x509/verify.c:_gnutls_x509_verify_certificate ->
        ./lib/x509/verify.c:_gnutls_verify_certificate2 ->
        *output |= GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_INVALID;

That seems like an improvement (I had only noticed the cases where setting
the flag would cause ret<0 of course).  I'll do some more testing and
(probably) issue that, etc., over the next day or so.

-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]