Bug 495532 - SSL/TLS certificate verification disabled by default
SSL/TLS certificate verification disabled by default
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: elinks (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Ondrej Vasik
Fedora Extras Quality Assurance
: EasyFix, Security
Depends On:
Blocks: F11Blocker/F11FinalBlocker
  Show dependency treegraph
 
Reported: 2009-04-13 13:41 EDT by Lubomir Rintel
Modified: 2009-05-11 04:38 EDT (History)
2 users (show)

See Also:
Fixed In Version: elinks-0.12-0.15.pre3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-11 04:38:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lubomir Rintel 2009-04-13 13:41:27 EDT
Description of problem:

The default elinks configuration is insecure and renders SSL/TLS support practically useless.

Please enable "connection.ssl.cert_verify" by default and accompany it with a huge fat warning for an user who would want to disable it.

By the way, why is elinks linked with OpenSSL when the NSS patch is done?

Version-Release number of selected component (if applicable):

elinks-0.12-0.12.pre3.fc11.i586

Additional info:

Originally reported here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510417
links package was patched to verify certificates upon its initial import.
Comment 1 Kamil Dudka 2009-04-13 16:16:08 EDT
(In reply to comment #0)
> Description of problem:
> 
> The default elinks configuration is insecure and renders SSL/TLS support
> practically useless.
> 
> Please enable "connection.ssl.cert_verify" by default and accompany it with a
> huge fat warning for an user who would want to disable it.

Thanks for the report, but I am afraid this feature is not implemented enough to be enabled by default. Have you tried to open a web page with an untrusted certificate? It just displays a big window with short text "SSL error" and button OK. There is no way to temporarily trust a certificate and no information about what exactly has failed. Moreover technically not skilled user doesn't know how to import certificates to NSS database.

> By the way, why is elinks linked with OpenSSL when the NSS patch is done?

Good catch. It seems like --without-openssl configure option is missing. I'll fix it tomorrow.
Comment 2 Lubomir Rintel 2009-04-14 01:28:41 EDT
(In reply to comment #1)
> (In reply to comment #0)
> > Description of problem:
> > 
> > The default elinks configuration is insecure and renders SSL/TLS support
> > practically useless.
> > 
> > Please enable "connection.ssl.cert_verify" by default and accompany it with a
> > huge fat warning for an user who would want to disable it.
> 
> Thanks for the report, but I am afraid this feature is not implemented enough
> to be enabled by default. Have you tried to open a web page with an untrusted
> certificate? It just displays a big window with short text "SSL error" and
> button OK. There is no way to temporarily trust a certificate and no
> information about what exactly has failed.

Still much better that putting the user into risk of having his credit card number stolen. In fact, user should _not_ ever even temporarily accept a bad certificate. Even Firefox tries to discourage him from doing so by making the certificate accept procedure painful.

> Moreover technically not skilled
> user doesn't know how to import certificates to NSS database.

Um, yes, see, I'm such user as well. System-wide NSS database in /etc/pki/nssdb should contain the root certificates and thus should serve sufficiently well as default?

> > By the way, why is elinks linked with OpenSSL when the NSS patch is done?
> 
> Good catch. It seems like --without-openssl configure option is missing. I'll
> fix it tomorrow.  

Enabling connection.ssl.cert_verify warns me that I'm going to have to configure OpenSSL. It should probably mention NSS, if it is used.
Comment 3 Kamil Dudka 2009-04-14 12:56:25 EDT
> Good catch. It seems like --without-openssl configure option is missing. I'll
> fix it tomorrow.  

Nope, it has been caused by bad BuildRequires. I removed the BuildRequire openssl-devel and added BuildRequires for krb5-devel, nss-devel and pkgconfig. Now it is fixed in CVS, but I am unable to build it because koji F-11 builds are completely broken right now.

Ondra is going to solve the issue with the default value of "connection.ssl.cert_verify" tomorrow.
Comment 4 Ondrej Vasik 2009-04-28 10:22:55 EDT
Default configuration file and certificate verification enabled by default should be done in elinks-0.12-0.14.pre3.fc12 ... F-11 fix could be best handled by 0day update I guess...
Comment 5 Lubomir Rintel 2009-04-29 15:01:59 EDT
I've conducted some testing against elinks-0.12-0.15.pre3.fc12 and it seems to works perfectly. Please build it into dist-f11.
Comment 6 Kamil Dudka 2009-04-30 04:08:16 EDT
(In reply to comment #5)
> I've conducted some testing against elinks-0.12-0.15.pre3.fc12 and it seems to
> works perfectly. Please build it into dist-f11.  

F-11 build is ready:
http://koji.fedoraproject.org/koji/buildinfo?buildID=100359

You can try to request a freeze override according to
https://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy

But it is too late I think. If the request is rejected, then the build will be submitted as a post-release update. Please do not forget to test the package before requesting the freeze override.
Comment 7 Lubomir Rintel 2009-04-30 04:34:42 EDT
Thanks Kamil. I've filed a pull-up ticket for Fedora 11:
https://fedorahosted.org/rel-eng/ticket/1697
Comment 8 Ondrej Vasik 2009-05-11 04:38:01 EDT
As the releng ticket is closed and F11 build tagged, closing RAWHIDE.

Note You need to log in before you can comment on or make changes to this bug.