Bug#983589: w3m: Cannot verify certificates any more
On 2021-02-27 at 08:22, Tatsuya Kinoshita wrote: > -2 implicitly adds OpenSSL default paths that helps you, but > I think this is a bug and fixed in -3. However, this is a long-standing feature. I'll reconsider for the next upload. Thanks, -- Tatsuya Kinoshita pgpoM3ie625SY.pgp Description: PGP signature
Bug#983589: w3m: Cannot verify certificates any more
On 2021-02-26 at 23:54 +0100, Samuel Thibault wrote: > ssl_ca_file > ssl_ca_path /etc/ssl/certs, ~/.ssl/certs Ah, multiple paths in ssl_ca_path is not supported. The value is directly passed to OpenSSL's SSL_CTX_load_verify_locations. So, your configuration means the single nonexistence directory "/etc/ssl/certs, ~/.ssl/certs" is used. -2 implicitly adds OpenSSL default paths that helps you, but I think this is a bug and fixed in -3. Probably, you should set the following. ``` ssl_ca_file /etc/ssl/certs/ca-certificates.crt ssl_ca_path ~/.ssl/certs ``` Thanks, -- Tatsuya Kinoshita pgppQSAUyauh8.pgp Description: PGP signature
Bug#983589: w3m: Cannot verify certificates any more
Tatsuya Kinoshita, le sam. 27 févr. 2021 07:36:20 +0900, a ecrit: > On 2021-02-26 at 21:25 +0100, Samuel Thibault wrote: > > Since version 0.5.3+git20210102-3 of w3m (downgrading to -2 fixes it), > > all https website give me > > > > unable to get local issuer certificate: accept? (y/n) > > Hmm, could you please tell me your configuration of ssl_ca_path > and ssl_ca_file in <~/.w3m/config> and ? I have ssl_ca_file ssl_ca_path /etc/ssl/certs, ~/.ssl/certs Samuel
Bug#983589: w3m: Cannot verify certificates any more
On 2021-02-26 at 21:25 +0100, Samuel Thibault wrote: > Since version 0.5.3+git20210102-3 of w3m (downgrading to -2 fixes it), > all https website give me > > unable to get local issuer certificate: accept? (y/n) Hmm, could you please tell me your configuration of ssl_ca_path and ssl_ca_file in <~/.w3m/config> and ? The intentional change in -3 means that OpenSSL default paths will not be loaded if you set ssl_ca_path or ssl_ca_file. All the following should work in -3. w3m -dump -o ssl_ca_path= -o ssl_ca_file=/etc/ssl/certs/ca-certificates.crt https://www.debian.org w3m -dump -o ssl_ca_path=/etc/ssl/certs -o ssl_ca_file= https://www.debian.org w3m -dump -o ssl_ca_path= -o ssl_ca_file= https://www.debian.org Thanks, -- Tatsuya Kinoshita pgpDAjuApmgHT.pgp Description: PGP signature
Bug#983589: w3m: Cannot verify certificates any more
Package: w3m Version: 0.5.3+git20210102-3 Severity: important Hello, Since version 0.5.3+git20210102-3 of w3m (downgrading to -2 fixes it), all https website give me unable to get local issuer certificate: accept? (y/n) and choosing y gives Accept unsecure SSL session: unverified: unable to get local issuer certificate while choosing n quits. This makes w3m vulnerable to spoofing. I almost thought about making this a grave severity, since I believe we definitely don't want to keep this bug in Bullseye. Samuel -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.11.0 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages w3m depends on: ii libc6 2.31-9 ii libgc1 1:8.0.4-3 ii libgpm21.20.7-8 ii libssl1.1 1.1.1j-1 ii libtinfo6 6.2+20201114-2 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages w3m recommends: ii ca-certificates 20210119 Versions of packages w3m suggests: pn cmigemo ii curl7.74.0-1.1 ii dict1.13.0+dfsg-1 pn dict-wn pn dictd pn libsixel-bin ii man-db 2.9.4-1 ii mime-support3.66 ii mpv 0.32.0-2+b1 ii sensible-utils 0.0.14 pn w3m-el ii w3m-img 0.5.3+git20210102-2 ii wget1.21-1+b1 ii xdg-utils 1.1.3-4 ii xsel1.2.0+git9bfc13d.20180109-3 -- no debconf information -- Samuel Actually, typing random strings in the Finder does the equivalent of filename completion. (Discussion in comp.os.linux.misc on the intuitiveness of commands: file completion vs. the Mac Finder.)