Hi, The following email appeared in my inbox from the elinks-dev list (I can't link you to it because it seems all the elinks archives have either disappeared or are out of date).
I've verified that elinks is not checking the validity of certificates by hitting https://www.pcwebshop.co.uk/ in both chromium and elinks. Chromium warns, elinks does not. I think we should tear out SSL support until upstream makes a patch. If such a patch doesn't show up soon, then we should probably consider killing this port. It's not the first time elinks has had SSL issues and it seems to be bitrotting... With the below patch, hitting a HTTPS site gives a message: "This version of ELinks does not contain SSL/TLS support" OK? Index: Makefile =================================================================== RCS file: /home/edd/cvsync/ports/www/elinks/Makefile,v retrieving revision 1.37 diff -u -p -r1.37 Makefile --- Makefile 30 Jan 2017 10:06:55 -0000 1.37 +++ Makefile 10 Mar 2017 10:45:34 -0000 @@ -1,8 +1,7 @@ # $OpenBSD: Makefile,v 1.37 2017/01/30 10:06:55 jca Exp $ - COMMENT= full-featured text WWW browser DISTNAME= elinks-0.11.7 -REVISION= 10 +REVISION= 11 CATEGORIES= www MASTER_SITES= http://elinks.cz/download/ @@ -24,6 +23,10 @@ CONFIGURE_ARGS+= --with-bzlib \ --enable-gopher \ --enable-256-colors \ --with-libiconv=${LOCALBASE} +# Elinks does not check SSL certificates properly! +# Disable SSL support to protect our users. +CONFIGURE_ARGS += --without-gnutls \ + --without-openssl # don't hide compiler command lines MAKE_ENV= V=true ----- Forwarded message from My Dear Diary <mydeardi...@sdf.org> ----- Date: Wed, 8 Mar 2017 07:56:30 +0000 From: My Dear Diary <mydeardi...@sdf.org> To: elinks-...@lists.linuxfromscratch.org Subject: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate User-Agent: NeoMutt/20170113 (1.7.2) I found out that Elinks doesn't verify server certificate when connecting to HTTPS websites. This behavior doesn't comply with section 3.2 of IETF RFC5280: Certification Paths and Trust. To protect users against malicious websites using fake certificates and potential man-in-the-middle attacks, certificate verification has to be enabled by default. Elinks note about 'extensive configuration' in the SSL section of Option Manager doesn't make sense. Most distribution has included 'CA Bundle' package, which is used as certificate trust anchor, so there isn't need for end users to configure anything. Elinks should notify users when certificate presented by the server cannot be validated and let the users choose whether to continue to the site or to abort viewing the site. Steps to reproduce this potential security bug. 1. Create a self signed certificate. $ openssl genrsa -out ./privkey.pem 2048 $ openssl req -new -sha256 -days 1 -subj '/CN=localhost' -x509 -key ./privkey.pem -out cert.crt 2. Serve a test page for the self signed certificate. $ openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www Openssl test server will listen on 0.0.0.0:4433, accepting HTTP requests. 3. Open another terminal and use Elinks to connect to the test server. $ elinks https://localhost:4433/ 4. Elinks will happily connect to the test server without notifying users about invalid or self signed certificate. Refer to the behavior of another browsers when connecting to the test server as comparison. Links2 behavior is more user friendly, notifying user about invalid certificate and let user decide whether to connect to the site or not. This problem should be addressed as soon as possible to protect Elinks users from potential mitm attacks. -- http://lists.linuxfromscratch.org/listinfo/elinks-dev Unsubscribe: See the above information page ----- End forwarded message ----- -- Best Regards Edd Barrett http://www.theunixzoo.co.uk
