Bug#401447: lynx doesn't accept wildcard certificates

Sun, 03 Dec 2006 09:38:37 -0800 

Martin Schulze wrote:
> Package: lynx
> Version: 2.8.5-2sarge2.2
> Severity: important
> 
> According to RFC 2818 Section 3.1 certificates may contain the wildcard
> character * which is considered to match any single domain name component
> or component fragment. E.g., *.a.com matches foo.a.com but not
> bar.foo.a.com. f*.com matches foo.com but not bar.com.
> 
> Lynx in its current implementation in Debian sid does not understand this.
> 
> Since the misdetection of SSL certificates is of severity important I
> assume that this is as well as it renders valid certificates sort of
> invalid.

Attached is a patch to fix this.

Regards,

        Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.

#! /bin/sh /usr/share/dpatch/dpatch-run
## 08_wildcard_cert.dpatch by Joey Schulze <[EMAIL PROTECTED]>
##
## DP: This patch makes lynx accept wild card SSL certificates as well.
## DP: They ar specified in RFC 2818 3.1.

diff -u -p -Nr --exclude CVS lynx-2.8.5.orig/WWW/Library/Implementation/HTTP.c 
lynx-2.8.5/WWW/Library/Implementation/HTTP.c
--- lynx-2.8.5.orig/WWW/Library/Implementation/HTTP.c   2006-12-03 
16:45:35.000000000 +0100
+++ lynx-2.8.5/WWW/Library/Implementation/HTTP.c        2006-12-03 
17:04:20.000000000 +0100
@@ -357,6 +357,29 @@ PRIVATE void strip_userid ARGS1(
     }
 }
 
+/*
+ * Compare an hostname with a certification host name
+ */
+PRIVATE int wildcard_match ARGS2(
+       char *,         ssl_host,
+       char *,         cert_host)
+{
+  char *shp, *chp;
+
+  if (!strcasecomp(ssl_host, cert_host))
+    return TRUE;
+
+  if (cert_host[0] == '*' && cert_host[1] == '.') {
+    chp = cert_host + 2;
+    if ((shp = strchr(ssl_host, '.')) != NULL) {
+      shp++;
+      if (!strcasecomp(shp, chp))
+       return TRUE;
+    }
+  }
+  return FALSE;
+}
+
 /*             Load Document from HTTP Server                  HTLoadHTTP()
 **             ==============================
 **
@@ -605,7 +628,7 @@ use_tunnel:
          ssl_host = HTParse(url, "", PARSE_HOST);
          if ((p = strchr(ssl_host, ':')) != NULL)
              *p = '\0';
-         if (strcasecomp(ssl_host, cert_host)) {
+         if (!wildcard_match(ssl_host, cert_host)) {
              HTSprintf0(&msg,
                         gettext("SSL error:host(%s)!=cert(%s)-Continue?"),
                         ssl_host,

Reply via email to