On Tue, Aug 18, 2015 at 01:32:19pm +0200, Vincent Lefevre wrote:
> Package: lynx-cur
> Version: 2.8.9dev6-3
> Severity: serious
> Tags: security
> 
> If I run
> 
>   lynx https://www.vinc17.net:4434/
> 
> I get
> 
>   SSL error:The certificate is NOT trusted. The certificate chain is revoked.
>   -Continue? (n) 
> 
> as expected. But If I set up a test server with the same certificate
> with:
> 
>   openssl s_server -CAfile old.crt -key old.key -cert old.crt -www

Try adding the "-status" option here.

I think the problem is that both lynx and curl only support OCSP stapling,
while firefox also does full-blown OCSP. So, if you don't enable OCSP stapling
in s_server (with the -status option), lynx and curl won't receive any response,
while firefox will also try to contact the CA's OCSP server and receive a
response from that.

It's more like lack of a feature than an actual bug (hardly RC material though,
IMO).

Hope this helps.

Cheers

Attachment: signature.asc
Description: Digital signature

Reply via email to