Hello everyone! I was reading through some of the Lynx source code, and I have some questions about how Lynx handles TLS. Specifically, in HTTP.c:734, we see this snippet:
if (status <= 0) {
#if (SSLEAY_VERSION_NUMBER >= 0x0900)
#if !defined(USE_GNUTLS_FUNCS)
if (try_tls) {
_HTProgress(gettext("Retrying connection without TLS."));
try_tls = FALSE;
if (did_connect)
HTTP_NETCLOSE(s, handle);
goto try_again;
After we go back to `try_again`, we eventually run into this `if` statement at
HTTP.c:716:
if (!try_tls) {
SSL_set_no_TLSV1();
CTRACE((tfp, "...adding SSL_OP_NO_TLSv1\n"));
}
My working assumption has been that if a TLS connection fails, we fall back to
disabling TLS and trying SSL instead. This seems to be confirmed by the error
message "Retrying connection without *TLS*."
However, this seems to have a few problems. Beyond the security concerns with
using SSL in 2025, this code would still allow TLS versions 1.1 and up, which
seems to contradict its seeming intent as an alternative to TLS.
There's also this preprocessor directive in HTTP.c:53 which seems to imply that
allowing TLS versions above 1.1 is intended behavior:
#if LIBRESSL_VERSION_NUMBER >= 0x2060100fL
#define SSL_set_no_TLSV1() SSL_set_min_proto_version(handle,
TLS1_1_VERSION)
#endif
With all of that in mind, I have a few questions:
1. Is this intended behavior or just a bug?
2. It seems like Lynx goes out of its way to support legacy versions of OpenSSL.
Would it be unreasonable to assume that a user has access to the
SSL_set_max_proto_version, which was added in OpenSSL version 1.1.0?
3. In a similar vein, would it be unreasonable to drop SSL support entirely?
Thanks in advance for your time,
---
Nate Choe <[email protected]>
signature.asc
Description: signature
