Ariadne Conill dixit: > It turns out SNI is only marginally related to this issue. The issue > itself is far more severe: HTParse() does not understand the authn > part of the URI at all.
Yes, of course. But without SNI, nothing would have been sent *in plaintext* at all. The certificate validation fails¹, the connection stops and the user is asked whether to continue. ① Tested on an OS without SNI in its libssl. > As a workaround, I taught HTParse() how to parse the authn part of URIs, but > Lynx itself needs to actually properly support the authn part really. > > I have attached the patch Alpine is using to work around this infoleak. Thanks! I recall having to work manually to strip the port from the hostname for SSL certificate validation, ages ago, but I had not tested with HTTP Auth sites back then. bye, //mirabilos -- Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~ (as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)