Debian Bug report logs - #231609
lynx: ssl common name is not detected properly

version graph

Package: lynx; Maintainer for lynx is Atsuhito KOHDA <kohda@debian.org>; Source for lynx is src:lynx-cur.

Reported by: Torbjörn Wassberg <torbjorn.wassberg.8667@student.uu.se>

Date: Sat, 7 Feb 2004 19:33:01 UTC

Severity: important

Tags: fixed-upstream

Merged with 268102

Found in versions 2.8.5-1, lynx-cur/2.8.7dev9-1.2

Fixed in version lynx-cur/2.8.8dev.1-1

Done: Atsuhito KOHDA <kohda@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Torbjörn Wassberg <torbjorn.wassberg.8667@student.uu.se>:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Torbjörn Wassberg <torbjorn.wassberg.8667@student.uu.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lynx: ssl common name is not detected properly
Date: Sat, 07 Feb 2004 20:25:48 +0100
[Message part 1 (text/plain, inline)]
Package: lynx
Version: 2.8.5-1
Severity: normal
Tags: patch

lynx expects X509_NAME_oneline to return a / before CN=, but that is not (any longer?) the case.

-- System Information:
Debian Release: unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.2-mm1
Locale: LANG=en_US, LC_CTYPE=sv_SE

Versions of packages lynx depends on:
ii  libbz2-1.0                1.0.2-1        A high-quality block-sorting file 
ii  libc6                     2.3.2.ds1-11   GNU C Library: Shared libraries an
ii  libgnutls7                0.8.12-5       GNU TLS library - runtime library
ii  libncursesw5              5.3.20030719-5 Shared libraries for terminal hand
ii  zlib1g                    1:1.2.1-3      compression library - runtime

-- no debconf information

[ssl-patch.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Timo Aaltonen <tjaalton@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #10 received at 231609@bugs.debian.org (full text, mbox):

From: Timo Aaltonen <tjaalton@cc.hut.fi>
To: 231609@bugs.debian.org
Subject: fix this please
Date: Wed, 16 Jun 2004 09:58:22 +0300 (EEST)

  Without this fix lynx is unusable in scripts that involve https-sites.
I've had lynx update on hold for more than four months now..



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Joseph Walton <joe@kafsemo.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #15 received at 231609@bugs.debian.org (full text, mbox):

From: Joseph Walton <joe@kafsemo.org>
To: 231609@bugs.debian.org
Subject: Patch for GnuTLS CN check
Date: Tue, 14 Dec 2004 19:49:08 +0000
[Message part 1 (text/plain, inline)]
I've attached a patch to check the CN through GnuTLS' API, rather than
parsing the DN string. It works for me against real sites, but is unchecked
against certificates with no CN present.
-- 
------------------------------------------------------------ Joseph Walton --
---------------------- "I am often accused of trolling (whatever that is)" --
[lynx-ssl.diff (text/plain, attachment)]

Merged 231609 268102. Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information stored:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #22 received at 231609-quiet@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 268102-quiet@bugs.debian.org, 231609-quiet@bugs.debian.org
Subject: Re: lynx: SSL error:Can't find common name in certificate-Continue? (y)
Date: Thu, 27 Jan 2005 19:28:20 +0100
I've applied the patch by Torbjörn Wassberg and built packages since
this bug was annoying enough to me to get rid of it.  For convenience
I've placed packages online so other people can use them as well.
Feel free.

They're in http://people.debian.org/~joey/NMU/lynx/

Regards,

	Joey

-- 
Of course, I didn't mean that, which is why I didn't say it.
What I meant to say, I said.              -- Thomas Bushnell

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #27 received at 231609@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: 231609@bugs.debian.org
Cc: torbjorn.wassberg.8667@student.uu.se, Joseph Walton <joe@kafsemo.org>, Martin Schulze <joey@infodrom.org>, Jan Minar <jjminar@fastmail.fm>, dickey@his.com
Subject: lynx: SSL sites don't work with the gnutls library.
Date: Thu, 2 Mar 2006 00:50:03 +0100
Hi,

This seems to be a difference between how the openssl and the
gnutls library return the name of the subject.  For instance, for
nm.debian.org, for the subject you get:
/C=US/ST=Indiana/L=Indianapolis/O=Debian/OU=NM/CN=nm.debian.org/emailAddress=debian-admin@lists.debian.org

While with gnutls you get:
C=, ST=Indiana, L=Indianapolis, O=Debian, OU=NM, CN=nm.debian.org/Email=debian-admin@lists.debian.org

(I wonder why the C= doesn't say US in case of gnutls though.)

So a version build with openssl is working without problems.


Anyway, the openssl manpage says:
NOTES
       The functions X509_NAME_oneline() and X509_NAME_print() are legacy
       functions which produce a non standard output form, they don't handle
       multi character fields and have various quirks and inconsistencies.
       Their use is strongly discouraged in new applications.

Looking at the openssl library, I think it's best to use
X509_NAME_get_index_by_NID/OBJ()/X509_NAME_get_entry(), and then go
over the list of common names.  But it looks like gnutls doesn't
support that?

The gnutls equivalent would be something like
gnutls_x509_crt_get_issuer_dn_by_oid?


Kurt




Information stored:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #32 received at 231609-quiet@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 231609-quiet@bugs.debian.org
Subject: New patch and packages available
Date: Sat, 13 May 2006 09:15:17 +0200
[Message part 1 (text/plain, inline)]
Due to an upcoming security release the binary packages needed to
be updated again.  Attached is the dpatch file required and the
URLs to the new packages built after the security update are:

http://people.debian.org/~joey/NMU/lynx/lynx_2.8.5-2sarge2.1.diff.gz
http://people.debian.org/~joey/NMU/lynx/lynx_2.8.5-2sarge2.1.dsc
http://people.debian.org/~joey/NMU/lynx/lynx_2.8.5-2sarge2.1_i386.changes
http://people.debian.org/~joey/NMU/lynx/lynx_2.8.5-2sarge2.1_i386.deb
http://people.debian.org/~joey/NMU/lynx/lynx_2.8.5-2sarge2.1_i386.log

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.
[05_BUG231609.dpatch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Severity set to `important' from `normal' Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, warp@debian.org (Zephaniah E. Hull):
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to "Zephaniah E. Hull" <warp@aehallh.com>:
Extra info received and forwarded to list. Copy sent to warp@debian.org (Zephaniah E. Hull). Full text and rfc822 format available.

Message #39 received at 231609@bugs.debian.org (full text, mbox):

From: "Zephaniah E. Hull" <warp@aehallh.com>
To: 231609@bugs.debian.org
Subject: Patch no longer applies.
Date: Wed, 2 May 2007 04:06:02 -0400
[Message part 1 (text/plain, inline)]
This patch no longer applies to the code as it stands in 2.8.6, and I
don't understand the SSL code well enough to risk an adaptation.

I'd appreciate it if someone who knows SSL well enough to be sure that
they are doing it securely would look over the issue and recommend a
patch.

Thanks.
Zephaniah E. Hull.

-- 
	  1024D/E65A7801 Zephaniah E. Hull <warp@aehallh.com>
	   92ED 94E4 B1E6 3624 226D  5727 4453 008B E65A 7801
	    CCs of replies from mailing lists are requested.

     "First they came for the Jews, and I didn't speak out - because I
was not a jew. Then they came for the Communists, and I did not speak
out - because I was not a Communist. Then they came for the trade
unionists, and I did not speak out - because I was not a trade unionist.
Then they came for me and there was no one left to speak for me!"
  - Pastor Niemoeller - victim of Hitler's Nazis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, warp@debian.org (Zephaniah E. Hull):
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Marek Kubica <pythonmailing@web.de>:
Extra info received and forwarded to list. Copy sent to warp@debian.org (Zephaniah E. Hull). Full text and rfc822 format available.

Message #44 received at 231609@bugs.debian.org (full text, mbox):

From: Marek Kubica <pythonmailing@web.de>
To: 231609@bugs.debian.org
Subject: Work-around for current lynx version
Date: Sat, 17 Nov 2007 09:27:50 +0100
As I needed lynx for a script which used SSL I decided to use a hack. I
created a lynx.cfg which contains

INCLUDE:/etc/lynx.cfg
FORCE_SSL_PROMPT:YES

and now I'm calling lynx -cfg lynx.cfg <https-url> which works fine.




Information forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#231609; Package lynx. Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>. Full text and rfc822 format available.

Message #49 received at 231609@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: 231609@bugs.debian.org
Subject: Re: lynx: SSL error:Can't find common name in certificate-Continue? (y)
Date: Sat, 19 Jul 2008 08:17:57 +0200
found 231609 2.8.7dev9-1.2
thanks

On 2004-08-26 Jan Minar <jjminar@fastmail.fm> wrote:
> Package: lynx
> Version: 2.8.5-1
> Severity: important

> This makes lynx unusable as a HTTP*S* browser.

> $ lynx https://www.thawte.com
> ...
> SSL error:Can't find common name in certificate-Continue? (y) 

> (In a text window, that is.)

> I've tried few https: sites, with the same result.  w3m or firefox groks
> them ok.  Particularly, there *was* a Common Name in those certificates.

> Cheers,
> Jan.
[....]

This still seems to apply to the lynx-cur codebase, the message has
changed though from
SSL error:Can't find common name in certificate-Continue? (y) 
to
SSL error:no issuer was found-Continue? (y)
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'




Bug marked as found in version 2.8.7dev9-1.2. Request was from Andreas Metzler <ametzler@downhill.at.eu.org> to control@bugs.debian.org. (Sat, 19 Jul 2008 06:21:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#231609; Package lynx. (Tue, 19 May 2009 15:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>. (Tue, 19 May 2009 15:24:05 GMT) Full text and rfc822 format available.

Message #56 received at 231609@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 231609@bugs.debian.org
Subject: Re: lynx: SSL error:Can't find common name in certificate-Continue? (y)
Date: Tue, 19 May 2009 15:18:51 +0000 (UTC)
>This still seems to apply to the lynx-cur codebase, the message has
>changed though from
>SSL error:Can't find common name in certificate-Continue? (y)
>to
>SSL error:no issuer was found-Continue? (y)

No, that is a different bug (#529482), caused by GnuTLS as well though.

I supplied the fix for THIS bug (CN) to lynx upstream, btw, but
it only works with OpenSSL.

//mirabilos
-- 
“It is inappropriate to require that a time represented as
 seconds since the Epoch precisely represent the number of
 seconds between the referenced time and the Epoch.”
	-- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2




Information forwarded to debian-bugs-dist@lists.debian.org, Atsuhito KOHDA <kohda@debian.org>:
Bug#231609; Package lynx. (Sat, 29 Aug 2009 14:00:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Atsuhito KOHDA <kohda@debian.org>. (Sat, 29 Aug 2009 14:00:05 GMT) Full text and rfc822 format available.

Message #61 received at 231609@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 231609@bugs.debian.org
Cc: 231609-submitter@bugs.debian.org
Subject: re: #231609 lynx: ssl common name is not detected properly
Date: Sat, 29 Aug 2009 09:51:09 -0400
[Message part 1 (text/plain, inline)]
A remaining issue was fixed in 2.8.8dev.1

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream; removed tag(s) patch. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Sat, 29 Aug 2009 14:00:15 GMT) Full text and rfc822 format available.

Message sent on to Torbjörn Wassberg <torbjorn.wassberg.8667@student.uu.se>:
Bug#231609. (Sat, 29 Aug 2009 14:00:19 GMT) Full text and rfc822 format available.

Reply sent to Atsuhito KOHDA <kohda@debian.org>:
You have taken responsibility. (Tue, 01 Sep 2009 01:06:13 GMT) Full text and rfc822 format available.

Notification sent to Torbjörn Wassberg <torbjorn.wassberg.8667@student.uu.se>:
Bug acknowledged by developer. (Tue, 01 Sep 2009 01:06:14 GMT) Full text and rfc822 format available.

Message #71 received at 231609-close@bugs.debian.org (full text, mbox):

From: Atsuhito KOHDA <kohda@debian.org>
To: 231609-close@bugs.debian.org
Subject: Bug#231609: fixed in lynx-cur 2.8.8dev.1-1
Date: Tue, 01 Sep 2009 00:37:40 +0000
Source: lynx-cur
Source-Version: 2.8.8dev.1-1

We believe that the bug you reported is fixed in the latest version of
lynx-cur, which is due to be installed in the Debian FTP archive:

lynx-cur-wrapper_2.8.8dev.1-1_all.deb
  to pool/main/l/lynx-cur/lynx-cur-wrapper_2.8.8dev.1-1_all.deb
lynx-cur_2.8.8dev.1-1.diff.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1-1.diff.gz
lynx-cur_2.8.8dev.1-1.dsc
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1-1.dsc
lynx-cur_2.8.8dev.1-1_i386.deb
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1-1_i386.deb
lynx-cur_2.8.8dev.1.orig.tar.gz
  to pool/main/l/lynx-cur/lynx-cur_2.8.8dev.1.orig.tar.gz
lynx_2.8.8dev.1-1_all.deb
  to pool/main/l/lynx-cur/lynx_2.8.8dev.1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 231609@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Atsuhito KOHDA <kohda@debian.org> (supplier of updated lynx-cur package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 31 Aug 2009 20:04:44 +0900
Source: lynx-cur
Binary: lynx-cur lynx-cur-wrapper lynx
Architecture: source all i386
Version: 2.8.8dev.1-1
Distribution: unstable
Urgency: low
Maintainer: Atsuhito KOHDA <kohda@debian.org>
Changed-By: Atsuhito KOHDA <kohda@debian.org>
Description: 
 lynx       - Text-mode WWW Browser (transitional package)
 lynx-cur   - Text-mode WWW Browser with NLS support (development version)
 lynx-cur-wrapper - Wrapper for lynx-cur
Closes: 231609 352596 408835 537907
Changes: 
 lynx-cur (2.8.8dev.1-1) unstable; urgency=low
 .
   * New Upstream Release.
    - add optional support for IDNA using GNU libidn (Closes: #352596)
    - ignore LEFT-TO-RIGHT-MARK (U+200E) in HTML files (Closes: #408835)
    - correct check for return-value from gnutls_certificate_verify_peers2(),
      which caused some sites to be treated as if they were version-1 X.509 CAs
      (Closes: #231609)
    - change compiled-in default for SYSLOG_REQUESTED_URLS to false.
      (Closes: #537907)
Checksums-Sha1: 
 976ab53e6cee817d4b74c6521bbcc9979768ef58 1171 lynx-cur_2.8.8dev.1-1.dsc
 fcc840c3726e36fcdeb6f08421b0eea10890216c 3426006 lynx-cur_2.8.8dev.1.orig.tar.gz
 923b24501030f059b72207a0eba6fd0d969582b4 30787 lynx-cur_2.8.8dev.1-1.diff.gz
 f8e74b989e2e3b6f5bc81f728aa64baedcdfef0a 17860 lynx-cur-wrapper_2.8.8dev.1-1_all.deb
 5674dcf343fe289d112e8a25ddb13a320eefcbe8 15312 lynx_2.8.8dev.1-1_all.deb
 9f35702f42bbde62689955e519aa21b0350e9f99 2100576 lynx-cur_2.8.8dev.1-1_i386.deb
Checksums-Sha256: 
 b47ba19c513ca2ec94f6ad37b075b367c86029c38613c58b337bf765d48f1da7 1171 lynx-cur_2.8.8dev.1-1.dsc
 3a18454842321e6fbda3599f4de1b8d8179932fe9183cf9d1f886aa772d876d4 3426006 lynx-cur_2.8.8dev.1.orig.tar.gz
 b66bc8bbc7c4395c7e2d57ea37138c6c0d6e07c4edee64935681b0e8d8f42319 30787 lynx-cur_2.8.8dev.1-1.diff.gz
 5abb3400f3f5bf813a575ed1c64d0bc7174dd79c0b581bfaba527cdd007ff360 17860 lynx-cur-wrapper_2.8.8dev.1-1_all.deb
 16d77c67a895bf5ef7c411db948cf8071f9008c234b775d297dc00b9e2437a62 15312 lynx_2.8.8dev.1-1_all.deb
 9956ce16b470d8186c44450a7329602d5f70aa26b82a7b1d5c31e0d116a11223 2100576 lynx-cur_2.8.8dev.1-1_i386.deb
Files: 
 9eea557e8110e0789baf001fb8a4aab3 1171 web extra lynx-cur_2.8.8dev.1-1.dsc
 0b3551feefb96a36d2fee5a11a683a76 3426006 web extra lynx-cur_2.8.8dev.1.orig.tar.gz
 03308bef1433d389c10ea2813483d6b0 30787 web extra lynx-cur_2.8.8dev.1-1.diff.gz
 02829975fc2dfcbf6e6d2509d0477c81 17860 web extra lynx-cur-wrapper_2.8.8dev.1-1_all.deb
 ecbc0c55dee671ecfaf4892750d18c02 15312 web extra lynx_2.8.8dev.1-1_all.deb
 c97af50ece66f8f08a03b8002082a010 2100576 web extra lynx-cur_2.8.8dev.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqbyB4ACgkQ1IXdL1v6kOwHJACfcxiV62C+MwWGfQ5hqB4kirbR
kDAAnjKQscfB2tvMce+HgTyIraBeKQoL
=b97y
-----END PGP SIGNATURE-----





Reply sent to Atsuhito KOHDA <kohda@debian.org>:
You have taken responsibility. (Tue, 01 Sep 2009 01:06:14 GMT) Full text and rfc822 format available.

Notification sent to Jan Minar <jjminar@fastmail.fm>:
Bug acknowledged by developer. (Tue, 01 Sep 2009 01:06:14 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 09 Oct 2009 07:28:55 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:43:58 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.