Re: [Lynx-dev] bug in SSL certificate validation

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] bug in SSL certificate validation

From:	Axel Beckert
Subject:	Re: [Lynx-dev] bug in SSL certificate validation
Date:	Fri, 6 Aug 2021 23:38:06 +0200
User-agent:	NeoMutt/20170113 (1.7.2)

Hi,

On Fri, Aug 06, 2021 at 05:14:32PM +0000, Thorsten Glaser wrote:
> this affects both OpenSSL and Debian’s nonGNUtls builds:
> 
> lynx https://user:pass@host/
> 
> … will lead to…
[…]
> SSL error:host(user:pass@host)!=cert(CN<mainhost>)-Continue? (n)
> 
> … for nonGNUtls lynx.

Indeed. https://user@host/ as well, btw.

> Obviously, user:pass@ need to be stripped before comparing.

I would be happy if there'd be a separate patch for this so we can
potentially backport this to already released versions of Lynx.

I was able to reproduce this issue in Lynx in all currently (in some
way) supported releases of Debian back to Debian 8 Jessie with ELTS
support which has Lynx 2.8.9dev1.

                Kind regards, Axel
-- 
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe@deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe@noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] bug in SSL certificate validation, Thorsten Glaser, 2021/08/06
- Re: [Lynx-dev] bug in SSL certificate validation, Axel Beckert <=
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/06
  - Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser, 2021/08/06
    - [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), Thorsten Glaser, 2021/08/06
    - Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), David Woolley, 2021/08/07
    - Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)), Thorsten Glaser, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Thorsten Glaser, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Ariadne Conill, 2021/08/07
    - Re: [Lynx-dev] [oss-security] Re: Bug#991971: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances), Axel Beckert, 2021/08/07

Prev by Date: [Lynx-dev] bug in SSL certificate validation
Next by Date: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Previous by thread: [Lynx-dev] bug in SSL certificate validation
Next by thread: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)
Index(es):
- Date
- Thread