Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

Edd Barrett
Hi,

The following email appeared in my inbox from the elinks-dev list (I
can't link you to it because it seems all the elinks archives have
either disappeared or are out of date).

I've verified that elinks is not checking the validity of certificates
by hitting https://www.pcwebshop.co.uk/ in both chromium and elinks.
Chromium warns, elinks does not.

I think we should tear out SSL support until upstream makes a patch. If
such a patch doesn't show up soon, then we should probably consider
killing this port. It's not the first time elinks has had SSL issues and
it seems to be bitrotting...

With the below patch, hitting a HTTPS site gives a message:
"This version of ELinks does not contain SSL/TLS support"

OK?

Index: Makefile
===================================================================
RCS file: /home/edd/cvsync/ports/www/elinks/Makefile,v
retrieving revision 1.37
diff -u -p -r1.37 Makefile
--- Makefile 30 Jan 2017 10:06:55 -0000 1.37
+++ Makefile 10 Mar 2017 10:45:34 -0000
@@ -1,8 +1,7 @@
 # $OpenBSD: Makefile,v 1.37 2017/01/30 10:06:55 jca Exp $
-
 COMMENT= full-featured text WWW browser
 DISTNAME= elinks-0.11.7
-REVISION= 10
+REVISION= 11
 CATEGORIES= www
 MASTER_SITES= http://elinks.cz/download/
 
@@ -24,6 +23,10 @@ CONFIGURE_ARGS+= --with-bzlib \
  --enable-gopher \
  --enable-256-colors \
  --with-libiconv=${LOCALBASE}
+# Elinks does not check SSL certificates properly!
+# Disable SSL support to protect our users.
+CONFIGURE_ARGS += --without-gnutls \
+ --without-openssl
 
 # don't hide compiler command lines
 MAKE_ENV= V=true


----- Forwarded message from My Dear Diary <[hidden email]> -----

Date: Wed, 8 Mar 2017 07:56:30 +0000
From: My Dear Diary <[hidden email]>
To: [hidden email]
Subject: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate
User-Agent: NeoMutt/20170113 (1.7.2)

I found out that Elinks doesn't verify server certificate when
connecting to HTTPS websites. This behavior doesn't comply with section
3.2 of IETF RFC5280: Certification Paths and Trust.

To protect users against malicious websites using fake certificates and
potential man-in-the-middle attacks, certificate verification has to be
enabled by default.

Elinks note about 'extensive configuration' in the SSL section of Option
Manager doesn't make sense. Most distribution has included 'CA Bundle'
package, which is used as certificate trust anchor, so there isn't need
for end users to configure anything.

Elinks should notify users when certificate presented by the server
cannot be validated and let  the users choose whether to continue to the
site or to abort viewing the site.

Steps to reproduce this potential security bug.

1. Create a self signed certificate.

$ openssl genrsa -out ./privkey.pem 2048
$ openssl req -new -sha256 -days 1 -subj '/CN=localhost' -x509 -key ./privkey.pem -out cert.crt

2. Serve a test page for the self signed certificate.

$ openssl s_server -key ./privkey.pem -cert ./cert.crt -HTTP -www

Openssl test server will listen on 0.0.0.0:4433, accepting HTTP
requests.

3. Open another terminal and use Elinks to connect to the test server.

$ elinks https://localhost:4433/

4. Elinks will happily connect to the test server without notifying
users about invalid or self signed certificate. Refer to the behavior of
another browsers when connecting to the test server as comparison.

Links2 behavior is more user friendly, notifying user about invalid
certificate and let user decide whether to connect to the site or not.

This problem should be addressed as soon as possible to protect Elinks
users from potential mitm attacks.

--
http://lists.linuxfromscratch.org/listinfo/elinks-dev
Unsubscribe: See the above information page

----- End forwarded message -----

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

Edd Barrett-3
On Fri, Mar 10, 2017 at 10:54:29AM +0000, Edd Barrett wrote:

> Index: Makefile
> ===================================================================
> RCS file: /home/edd/cvsync/ports/www/elinks/Makefile,v
> retrieving revision 1.37
> diff -u -p -r1.37 Makefile
> --- Makefile 30 Jan 2017 10:06:55 -0000 1.37
> +++ Makefile 10 Mar 2017 10:45:34 -0000
> @@ -1,8 +1,7 @@
>  # $OpenBSD: Makefile,v 1.37 2017/01/30 10:06:55 jca Exp $
> -

And I'll add that line back too ^

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

Edd Barrett-3
In reply to this post by Edd Barrett
On Fri, Mar 10, 2017 at 10:54:29AM +0000, Edd Barrett wrote:
> +# Elinks does not check SSL certificates properly!
> +# Disable SSL support to protect our users.
> +CONFIGURE_ARGS += --without-gnutls \
> + --without-openssl

Any comments on this? Kill SSL support or kill elinks?

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

Jeremie Courreges-Anglas-2
Edd Barrett <[hidden email]> writes:

> On Fri, Mar 10, 2017 at 10:54:29AM +0000, Edd Barrett wrote:
>> +# Elinks does not check SSL certificates properly!
>> +# Disable SSL support to protect our users.
>> +CONFIGURE_ARGS += --without-gnutls \
>> + --without-openssl
>
> Any comments on this? Kill SSL support or kill elinks?

I would just remove elinks.  An HTTP-only browser is basically useless,
and the last update was on 2009/08/26.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

Stuart Henderson
In reply to this post by Edd Barrett-3
On 2017/03/12 17:57, Edd Barrett wrote:
> On Fri, Mar 10, 2017 at 10:54:29AM +0000, Edd Barrett wrote:
> > +# Elinks does not check SSL certificates properly!
> > +# Disable SSL support to protect our users.
> > +CONFIGURE_ARGS += --without-gnutls \
> > + --without-openssl
>
> Any comments on this? Kill SSL support or kill elinks?

Is this patch any good for us?

http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html

Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [elinks-dev] [Bug][Security] elinks doesn't verify server certificate

Edd Barrett-3
On Mon, Mar 13, 2017 at 08:45:11AM +0000, Stuart Henderson wrote:

> On 2017/03/12 17:57, Edd Barrett wrote:
> > On Fri, Mar 10, 2017 at 10:54:29AM +0000, Edd Barrett wrote:
> > > +# Elinks does not check SSL certificates properly!
> > > +# Disable SSL support to protect our users.
> > > +CONFIGURE_ARGS += --without-gnutls \
> > > + --without-openssl
> >
> > Any comments on this? Kill SSL support or kill elinks?
>
> Is this patch any good for us?
>
> http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html

The patch never made it into their git repo, so I'm not sure if it is
correct (i'm not versed in the OpenSSL api).

I've raised a bug here:
https://github.com/nabetaro/elinks/issues/1

(not in their official bugzilla as it is broken)

What I'd like to do is:

 * disable SSL support now.
 * If after a week or two, there is no evidence that upstream are
   working to fix the bug, remove the port.

Works for you guys?

Here's an updated diff with the WANTLIB fixed. OK?

Index: Makefile
===================================================================
RCS file: /home/edd/cvsync/ports/www/elinks/Makefile,v
retrieving revision 1.37
diff -u -p -r1.37 Makefile
--- Makefile 30 Jan 2017 10:06:55 -0000 1.37
+++ Makefile 14 Mar 2017 17:48:55 -0000
@@ -1,8 +1,7 @@
 # $OpenBSD: Makefile,v 1.37 2017/01/30 10:06:55 jca Exp $
-
 COMMENT= full-featured text WWW browser
 DISTNAME= elinks-0.11.7
-REVISION= 10
+REVISION= 11
 CATEGORIES= www
 MASTER_SITES= http://elinks.cz/download/
 
@@ -24,6 +23,10 @@ CONFIGURE_ARGS+= --with-bzlib \
  --enable-gopher \
  --enable-256-colors \
  --with-libiconv=${LOCALBASE}
+# Elinks does not check SSL certificates properly!
+# Disable SSL support to protect our users.
+CONFIGURE_ARGS += --without-gnutls \
+ --without-openssl
 
 # don't hide compiler command lines
 MAKE_ENV= V=true
@@ -35,7 +38,7 @@ USE_GMAKE= Yes
 USE_GROFF = Yes
 
 RUN_DEPENDS= devel/gettext
-WANTLIB= bz2 crypto c iconv idn ssl z
+WANTLIB= bz2 c iconv idn z
 
 FLAVORS= lua no_x11 js
 FLAVOR?=

--
Best Regards
Edd Barrett

http://www.theunixzoo.co.uk