Bug#510417: links2 -- One possible HTTPS verification procedure

Wed, 31 Mar 2010 03:19:36 -0700 

The attached patch will abort HTTPS connections that do
not verify properly. It is thus not the final answer to
this bug, but it is a starting point.

The code eliminates use of SSLv2 from the allowed exchange
protocols, and it makes a verification exception for self
signed certificates (it would be very mean on the common user
to prevent him from using self signed certificates on his
private servers).

You would better make contact with the security team before
consider applying a patch like this (links2 is drowning in
compiler warnings, by the way) as it drastically changes the
behaviour of Links2 the average user will experience.

I have tested this against official sites, as well as other
with self signed or outdated certificates. The first two pass,
and the last case leads to rejection.

-- 
Mats Erik Andersson, fil. dr

diff -Naurp links-2.2.orig//https.c links-2.2//https.c
--- links-2.2.orig//https.c
+++ links-2.2//https.c
@@ -25,8 +25,40 @@
 
 #ifdef HAVE_SSL
 
+#define VERIFY_DEPTH	10
+
 SSL_CTX *context = NULL;
 
+static int verify_cert(int code, X509_STORE_CTX *context)
+{
+	int error, depth;
+
+	error = X509_STORE_CTX_get_error(context);
+	depth = X509_STORE_CTX_get_error_depth(context);
+
+	if (depth > VERIFY_DEPTH) {
+		error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+		code = 0;
+	}
+
+	if (!code) {
+		/* Judge self signed certificates as acceptable. */
+		if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+				error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
+			code = 1;
+		} else {
+			fprintf(stderr, "Verification failure: %s\n",
+						X509_verify_cert_error_string(error));
+			if (depth > VERIFY_DEPTH) {
+				fprintf(stderr, "Excessive depth %d, set depth %d.\n",
+							depth, VERIFY_DEPTH);
+			}
+		}
+	}
+
+	return code;
+} /* verify_cert */
+
 SSL *getSSL(void)
 {
 	if (!context) {
@@ -40,8 +72,10 @@ SSL *getSSL(void)
 		}
 		SSLeay_add_ssl_algorithms();
 		context = SSL_CTX_new(SSLv23_client_method());
-		SSL_CTX_set_options(context, SSL_OP_ALL);
+		SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_ALL);
+		SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_default_verify_paths(context);
+		SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert);
 /* needed for systems without /dev/random, but obviously kills security. */
 		/*{
 			char pool[32768];

Attachment: signature.asc
Description: Digital signature

Reply via email to