https://bugzilla.redhat.com/show_bug.cgi?id=2379900
Lukáš Zaoral <lzao...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #4 from Lukáš Zaoral <lzao...@redhat.com> ---
Thank you for pointing that, Thomas! I completely missed that.
I've checked the sources for the use of the SSL_CERT_FILE macro and the
associated SSL_cert_file variable
and it seems that it is only used to set the certfile variable if GnuTLS is
used [1,2] but this Fedora
package uses OpenSSL. Instead, lynx calls SSL_CTX_set_default_verify_paths to
use OpenSSL's default location
with CA certificates.
[1]
https://github.com/ThomasDickey/lynx-snapshots/blob/49180d7dd0ef98c0774db7e5f9b2046d02ac7057/WWW/Library/Implementation/HTTP.c#L244-L250
[2]
https://github.com/ThomasDickey/lynx-snapshots/blob/49180d7dd0ef98c0774db7e5f9b2046d02ac7057/WWW/Library/Implementation/HTTP.c#L280-L295
strace shows that OpenSSL uses /etc/pki/tls/cert.pem by default which is also
problematic according to the change proposal.
However, if I remove all problematic files listed in the proposal in my F42
test VM, OpenSSL will still load the correct certificate
and lynx is still able load web pages over HTTPS:
# strace -e trace=open,openat,openat2 -o out.log lynx https://www.google.com
...
# cat out.log
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libbrotlidec.so.1", O_RDONLY|O_CLOEXEC) = 3
...
openat(AT_FDCWD, "/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 4
openat(AT_FDCWD, "/etc/pki/tls/openssl.d",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5
openat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY)
= 5
openat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY)
= 4
openat(AT_FDCWD, "/etc/pki/tls/cert.pem", O_RDONLY) = -1 ENOENT (No such file
or directory) <-- fails!
openat(AT_FDCWD, "/etc/pki/tls/certs",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/pki/tls/certs/a3418fda.0", O_RDONLY) = 4
<-- correct cert found
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
+++ exited with 0 +++
And lynx's builtin trace function confirms that as well:
# lynx -trace https://www.google.com
# cat Lynx.trace
...
HTParse: result:`www.google.com'
...called SSL_set_tlsext_host_name(www.google.com) ->1
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0
SSL callback:ok, preverify_ok=1, ssl_okay=0
Validating CNs in '/CN=www.google.com'
Matching
ssl_host 'www.google.com'
cert_host 'www.google.com'
Verified connection to www.google.com (cert=www.google.com)
Certificate issued by: /C=US/O=Google Trust Services/CN=WE2
Secure 256-bit TLSv1.3 (TLS_AES_256_GCM_SHA384) HTTP connection
...
Therefore, I'd say that lynx is not affected by this change.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2379900
Report this comment as SPAM:
https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202379900%23c4
--
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/perl-devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
