[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#16791: w3m fails to do any SSL certificate checking
|
From: |
Andreas Enge |
|
Subject: |
bug#16791: w3m fails to do any SSL certificate checking |
|
Date: |
Tue, 18 Feb 2014 20:23:00 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Tue, Feb 18, 2014 at 03:58:21AM -0500, Mark H Weaver wrote:
> In Guix, neither w3m nor emacs-w3m warn me when I visit an https URL
> that uses a server certificate that is both self-signed and expired.
> To make matters worse, if I ask for page information (with the '=' key),
> it tells me that the certificate is valid.
>
> On Debian, both w3m and emacs-w3m inform me when an SSL certificate is
> invalid in some way, e.g. if it's expired or not signed by a certificate
> authority in my trust store.
w3m can be configured to not verify ssl certificates; but this is not the
case for us. I checked that if the server presents a certificate for a
different domain, there is a message:
Bad cert ident xxx from yyy: accept? (y/n)
However, the debian w3m asks whether a self-signed certificate should be
accepted. Among the about 30 patches in debian for w3m, the name of only one
is related to ssl; I am attaching it, but it does not seem related to our
problem.
Andreas
260_openssl.patch
Description: Text document