Re: lynx-dev Segfault with https

[Thomas Dickey]

On Sat, Oct 11, 2003 at 11:42:21AM -0700, Ilya Zakharevich wrote:
> I installed openssl 0.9.7c.  I installed mod_ssl's PEM file where lynx
> can find it.  [Howto verify: connection to https://www.ibm.com goes
> without any warning.]

In luck this time (I spent yesterday bending configurations to test other
stuff), I get this with my Debian/testing configuration for "free".
 
> Now I try to connect to
> https://mirbsd.bsdadvocacy.org:8890/active/cvsweb.cgi/src/etc/
> (as mentined in one of [very unhelpful] openssl-setup advices).
> 
> I get a prompt
> 
> SSL error:unable to get local issuer certificate-Continue? (y)

same

>   If I answer no: connection succeeds.  End of story.

? (mine cancels as expected)
 
>   If I answer yes: I'm presented with the same question again.

um, yes - it isn't satisfied yet.  But if I continue, the trace indicates
that it's making the connection.
 
> a) Why?  The trace shows "connection without TSL".  Should not the
> prompt reflect the difference?  Should not the difference be explained
> somewhere?
> 
>      b) If I answer yes: immediate segfault (in some non-trivial place,
>         like inside fopen())

in lynx, or openssl?
 
>      c) If I answer no: half of the page is loaded, then I get a segfault.

:-(
 
> d) And at the beginning of it all, the initial message is not very
>    helpful either.  As my correspondent with Mozilla found, this place
>    *has* a certificate, but it is not chained to anything "standard", so
>    is not "trusted".  Cannot a different message to be shown?

The message comes from openssl, not lynx.  There might be a better way to
setup the check (to get a different error message for instance), but looking
at the code of X509_verify_cert_error_string, I don't see that would happen.
The problem is that it's jargon - needs some explanation.

-- 
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden