[Dillo-dev] how about if we make a 3.0.5

eocene eocene at gmx.com
Sat Jun 13 01:22:37 CEST 2015


I wrote:
> noname wrote:
> > SSL3 and compression are not the main issue.
> > HTTPS in dillo is completely broken because it does not check for domain
> > name in the certificate.
> > hg tip has checking code copied from wget and current dillo release has
> > no code for it at all. It means that Dillo accepts any valid certificate
> > as a certificate for, let's say, gmail. You can get one from StartSSL
> > for free and test, it works.
> 
> Right, I hadn't wanted to do any real New Work for 3.0.5 that would require
> a somewhat higher level of scrutiny and testing, but all right, I'll take
> a look at gluing that stuff into the https dpi.

Adapted the name checking to fit into the dpi, plus server name indication
while I was at it.

Looks like it may be working. I'll push the code to the server later if
you can promise to help give it heavy testing in coming days.

When you're browsing, if you just change http to https, so many sites that
don't expect TLS connections will offer up certificates that are broken in
some way. And then try the various cancel/continue combinations...




More information about the Dillo-dev mailing list