On Tue, Aug 18, 2015 at 01:32:19pm +0200, Vincent Lefevre wrote: > Package: lynx-cur > Version: 2.8.9dev6-3 > Severity: serious > Tags: security > > If I run > > lynx https://www.vinc17.net:4434/ > > I get > > SSL error:The certificate is NOT trusted. The certificate chain is revoked. > -Continue? (n) > > as expected. But If I set up a test server with the same certificate > with: > > openssl s_server -CAfile old.crt -key old.key -cert old.crt -www
Try adding the "-status" option here. I think the problem is that both lynx and curl only support OCSP stapling, while firefox also does full-blown OCSP. So, if you don't enable OCSP stapling in s_server (with the -status option), lynx and curl won't receive any response, while firefox will also try to contact the CA's OCSP server and receive a response from that. It's more like lack of a feature than an actual bug (hardly RC material though, IMO). Hope this helps. Cheers
signature.asc
Description: Digital signature