Der Lynx developers,
I noticed that the changelog of 2.8.7dev.5 claims to add support to
the X.509 extension subjectAltName. However, upon reading the source
it turned out that this feature is only available when using OpenSSL
but not when using GnuTLS.
Therefore I worked on support for subjectAltName for GnuTLS in Lynx on
my own. Please find the result in the attached patch. I'd be glad if
it could be included as is or modified, as you like.
The patch is made against 2.8.7dev.7.
Regards,
Joey
--
Linux - the choice of a GNU generation.
diff -u -p -Nur orig/lynx2-8-7/WWW/Library/Implementation/HTTP.c lynx2-8-7/WWW/Library/Implementation/HTTP.c
--- orig/lynx2-8-7/WWW/Library/Implementation/HTTP.c 2007-11-03 11:02:49.000000000 +0100
+++ lynx2-8-7/WWW/Library/Implementation/HTTP.c 2007-11-04 10:20:10.000000000 +0100
@@ -814,6 +814,40 @@ static int HTLoadHTTP(const char *arg,
}
/* check the X.509v3 Subject Alternative Name */
+#ifdef USE_GNUTLS_INCL
+ if (status_sslcertcheck < 2) {
+ int i;
+ size_t size;
+ gnutls_x509_crt cert;
+ static char buf[2048];
+
+ /* import the certificate to the x509_crt format */
+ if (gnutls_x509_crt_init(&cert) == 0) {
+
+ if (gnutls_x509_crt_import(cert, peer_cert, GNUTLS_X509_FMT_DER) < 0) {
+ gnutls_x509_crt_deinit(cert);
+ goto done;
+ }
+
+ ret = 0;
+ for (i=0; !(ret < 0); i++) {
+ size = sizeof(buf);
+ ret = gnutls_x509_crt_get_subject_alt_name(cert, i, buf, &size, NULL);
+
+ if (strcasecomp_asterisk(ssl_host, buf) == 0) {
+ status_sslcertcheck = 2;
+ HTSprintf0(&msg,
+ gettext("Verified connection to %s (subj=%s)"),
+ ssl_host, buf);
+ _HTProgress(msg);
+ FREE(msg);
+ break;
+ }
+
+ }
+ }
+ }
+#endif
#ifdef USE_OPENSSL_INCL
if (status_sslcertcheck < 2) {
STACK_OF(GENERAL_NAME) * gens;
_______________________________________________
Lynx-dev mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/lynx-dev
