[Secure-testing-team] Bug#776073: lynx-cur: can connect to site with expired certificate

Vincent Lefevre vincent at vinc17.net
Fri Jan 23 15:51:44 UTC 2015 

Package: lynx-cur
Version: 2.8.9dev1-2+b1
Severity: grave
Tags: security
Justification: user security hole

lynx can connect to https://www.projet-plume.org/ without any error,
though its certificate has expired.

Firefox says:

  www.projet-plume.org uses an invalid security certificate.
  The certificate expired on 2014-12-05 00:59. The current time
  is 2015-01-23 16:38.
  (Error code: sec_error_expired_certificate)

Also checked with:

  openssl s_client -CApath /etc/ssl/certs -connect www.projet-plume.org:443

which outputs:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = NL, O = TERENA, CN = TERENA SSL CA
verify return:1
depth=0 C = FR, L = LABEGE CEDEX, O = CNRS, OU = MOY1678, CN = projet-plume.org
verify error:num=10:certificate has expired
notAfter=Dec  4 23:59:59 2014 GMT
verify return:1
depth=0 C = FR, L = LABEGE CEDEX, O = CNRS, OU = MOY1678, CN = projet-plume.org
notAfter=Dec  4 23:59:59 2014 GMT
verify return:1
[...]
    Verify return code: 10 (certificate has expired)
---
DONE

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages lynx-cur depends on:
ii  libbsd0            0.7.0-2
ii  libbz2-1.0         1.0.6-7+b2
ii  libc6              2.19-13
ii  libgcrypt20        1.6.2-4+b1
ii  libgnutls-deb0-28  3.3.8-5
ii  libidn11           1.29-1+b2
ii  libncursesw5       5.9+20140913-1+b1
ii  libtinfo5          5.9+20140913-1+b1
ii  zlib1g             1:1.2.8.dfsg-2+b1

Versions of packages lynx-cur recommends:
ii  mime-support  3.58

lynx-cur suggests no packages.

-- debconf information:
  lynx-cur/etc_lynx.cfg:
  lynx-cur/defaulturl: http://www.vinc17.org/

More information about the Secure-testing-team mailing list