10:58 p.m.
Please reply to the list, not me direct, thanks.
On Fri, 23 Sep 2005, cbonsall wrote:
John-Mark Bell wrote:
>
> On Fri, 23 Sep 2005, M.I. Abdullah wrote:
>>
>>Trying to get to WebMail (run by the university) using NetSurf it is
>>possible to login due to the lack (?) of secure http (https, SSL, shttp ! ).
>>Can manage with Oregano and ANT (after loading the SSL module).
>>
>>Is there any "secure" http for NetSurf?
>
> The full build has had https support for ages. What exactly is the error
> message (if any) that you get? > John.
I have a similar problem with the NetSurf on an Iyonix. Trying to access
the University of Edinburgh's staff webmail service results in:
Page error
Sorry, NetSurf was unable to display this page
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
Yet I get access via O2 and FireFox.
NetSurf is very strict about verifying the authenticity of SSL
certificates. If this check fails, it will give an error such as the one
above. You can disable certificate verification by changing the
ssl_verify_certificates option in the Choices file from 1 to 0. (Note that
this really, really, isn't advisable).
John.
2:14 a.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
In article
<Pine.LNX.4.44.0509231753150.17929-100000(a)servalan.ecs.soton.ac.uk>,
John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
Please reply to the list, not me direct, thanks.
On Fri, 23 Sep 2005, cbonsall wrote:
> John-Mark Bell wrote:
> >
> > On Fri, 23 Sep 2005, M.I. Abdullah wrote:
[Snip]
> >>Is there any "secure" http for NetSurf?
> >
> > The full build has had https support for ages. What exactly is the
> > error message (if any) that you get? > John.
>
> I have a similar problem with the NetSurf on an Iyonix. Trying to access
> the University of Edinburgh's staff webmail service results in:
>
> Page error
>
> Sorry, NetSurf was unable to display this page SSL certificate problem,
> verify that the CA cert is OK. Details: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Yet I get access via O2 and FireFox.
Me too. Identical error, trying to access our school's webmail.
NetSurf is very strict about verifying the authenticity of SSL
certificates.
Is it possibly being a bit too strict??
If this check fails, it will give an error such as the one
above. You can disable certificate verification by changing the
ssl_verify_certificates option in the Choices file from 1 to 0. (Note that
this really, really, isn't advisable).
Will try this. But why is it not advisable? HTTPS will be used for the
communication, and no 3rd party is involved, so I don't see any security
problem. -Or have I missed something?
Gary
--
Gary Locock, Network Manager, Bablake Junior School
Coundon Road, Coventry CV1 4AU
School Website: http://www.bablakejs.co.uk
Private mail: g a r y (at) l o c o c k . c o . u k
---
[This E-mail has been scanned for viruses but it is your responsibility
to maintain up to date anti virus software on the device that you are
currently using to read this email. ]
5:05 a.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
On Sat, 24 Sep 2005, Gary Locock wrote:
In article
<Pine.LNX.4.44.0509231753150.17929-100000(a)servalan.ecs.soton.ac.uk>,
John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
> NetSurf is very strict about verifying the authenticity of SSL
> certificates.
Is it possibly being a bit too strict??
Most definitely not; or would you prefer your HTTPS sessions to be as
secure as a wet piece of string?
> If this check fails, it will give an error such as the one
> above. You can disable certificate verification by changing the
> ssl_verify_certificates option in the Choices file from 1 to 0. (Note that
> this really, really, isn't advisable).
Will try this. But why is it not advisable? HTTPS will be used for the
communication, and no 3rd party is involved, so I don't see any security
problem. -Or have I missed something?
The issue is that that option will turn certificate verification off for
_every_ HTTPS site that you visit thus removing any sense of security.
John.
4:42 p.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
John-Mark Bell wrote:
On Sat, 24 Sep 2005, Gary Locock wrote:
>
>In article
><Pine.LNX.4.44.0509231753150.17929-100000(a)servalan.ecs.soton.ac.uk>,
> John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
>
>
>>NetSurf is very strict about verifying the authenticity of SSL
>>certificates.
>
>Is it possibly being a bit too strict??
Most definitely not; or would you prefer your HTTPS sessions to be as
secure as a wet piece of string?
>>If this check fails, it will give an error such as the one
>>above. You can disable certificate verification by changing the
>>ssl_verify_certificates option in the Choices file from 1 to 0. (Note that
>>this really, really, isn't advisable).
>
>Will try this. But why is it not advisable? HTTPS will be used for the
>communication, and no 3rd party is involved, so I don't see any security
>problem. -Or have I missed something?
The issue is that that option will turn certificate verification off for
_every_ HTTPS site that you visit thus removing any sense of security. > John.
How about an option to view and accept/reject the certificate. Is that
possible/practical?
--
Clive Bonsall
Iyonix 512Mb RO5.10
C.Bonsall(a)ed.ac.uk
5:41 p.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
On Sun, 25 Sep 2005, cbonsall wrote:
John-Mark Bell wrote:
>
> On Sat, 24 Sep 2005, Gary Locock wrote:
>
>>In article
>><Pine.LNX.4.44.0509231753150.17929-100000(a)servalan.ecs.soton.ac.uk>,
>> John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
>
>>>If this check fails, it will give an error such as the one
>>>above. You can disable certificate verification by changing the
>>>ssl_verify_certificates option in the Choices file from 1 to 0. (Note that
>>>this really, really, isn't advisable).
>>
>>Will try this. But why is it not advisable? HTTPS will be used for the
>>communication, and no 3rd party is involved, so I don't see any security
>>problem. -Or have I missed something?
>
> The issue is that that option will turn certificate verification off for
> _every_ HTTPS site that you visit thus removing any sense of security.
How about an option to view and accept/reject the certificate. Is that
possible/practical?
That's the intention. eventually.
John.
3:56 a.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
In article
<Pine.LNX.4.44.0509250003090.26467-100000(a)servalan.ecs.soton.ac.uk>,
John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
On Sat, 24 Sep 2005, Gary Locock wrote:
>
> In article
> <Pine.LNX.4.44.0509231753150.17929-100000(a)servalan.ecs.soton.ac.uk>,
> John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
>
> > NetSurf is very strict about verifying the authenticity of SSL
> > certificates.
>
> Is it possibly being a bit too strict??
Most definitely not; or would you prefer your HTTPS sessions to be
as
secure as a wet piece of string?
> > If this check fails, it will give an error such as the one above. You
> > can disable certificate verification by changing the
> > ssl_verify_certificates option in the Choices file from 1 to 0. (Note
> > that this really, really, isn't advisable).
>
> Will try this. But why is it not advisable? HTTPS will be used for the
> communication, and no 3rd party is involved, so I don't see any security
> problem. -Or have I missed something?
The issue is that that option will turn certificate verification off
for
_every_ HTTPS site that you visit thus removing any sense of security.
OK, I think I understand. So what would be really nice is a means of turning
off verification for specified sites only; but I guess that makes for a
programming complication.
Looking at it from the other end, 3 at least of the servers that people have
tried to contact have been refused by !NetSurf, with identical errors AFAICS.
So is there a common configuration issue at the servers, and how can that be
dealt with?
At a guess, since these are Academic sites, there is a fair probability that
these are Unix servers; ours certainly is, but Navaho (not Apache). What
should we be communicating to our server managers?
Presumably, since Oregano1 and 2 will contact these servers quite happily,
then their security is less stringent and we should not be using these for
say, banking?
Gary
--
Gary Locock, Network Manager, Bablake Junior School
Coundon Road, Coventry CV1 4AU
School Website: http://www.bablakejs.co.uk
Private mail: g a r y (at) l o c o c k . c o . u k
---
[This E-mail has been scanned for viruses but it is your responsibility
to maintain up to date anti virus software on the device that you are
currently using to read this email. ]
10:25 p.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
On Sun, 25 Sep 2005, Gary Locock wrote:
[HTTPS certificate verification]
OK, I think I understand. So what would be really nice is a means of
turning
off verification for specified sites only; but I guess that makes for a
programming complication.
Well, the most correct solution would be to do what other browsers do and
ask the user if they wish to accept the certificate for the current
session or permanently, preferably providing useful information about the
certificate such that the user can decide what they wish to do.
Looking at it from the other end, 3 at least of the servers that
people have
tried to contact have been refused by !NetSurf, with identical errors AFAICS.
So is there a common configuration issue at the servers, and how can that be
dealt with?
It depends on the circumstances. In many cases, it's simply a case of the
certificates not having been signed by a known certification authority.
Equally, I've come across cases where the certificate has expired.
Presumably, since Oregano1 and 2 will contact these servers quite
happily,
then their security is less stringent and we should not be using these for
say, banking?
Well, they don't appear to bother to validate SSL certificates. If you're
satisfied that you know you're talking to the right site, then they're no
less secure than other browsers (as the data sent to/from the server is
encrypted).
John.
5:31 a.m.
New subject: [Netsurf-develop] Secure http for NetSurf?
On 24 Sep 2005 Gary Locock <gary(a)locock.co.uk> wrote:
In article
<Pine.LNX.4.44.0509231753150.17929-100000(a)servalan.ecs.soton.ac.uk>,
John-Mark Bell <jmb202(a)ecs.soton.ac.uk> wrote:
> If this check fails, it will give an error such as the one above. You can
> disable certificate verification by changing the ssl_verify_certificates
> option in the Choices file from 1 to 0. (Note that this really, really,
> isn't advisable).
Will try this. But why is it not advisable? HTTPS will be used for the
communication, and no 3rd party is involved, so I don't see any security
problem. -Or have I missed something?
If you dont verify who you are talking to, all you know is that what you are
sending can't be causually intercepted on its way to a potential crook at the
other end.
Cheers
---Dave
--
____________________________________________________________________________
David J. Ruck Phone: +44- (0)7974 108301 Email: druck(a)druck.org.uk
____________________________________________________________________________
5906
days inactive
5909
days old
netsurf-users@netsurf-browser.org
7 comments
4 participants
participants (4)
-
cbonsall -
David J. Ruck -
Gary Locock -
John-Mark Bell