LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-04-2017, 06:26 PM   #1
dedec0
Senior Member
 
Registered: May 2007
Posts: 1,143

Rep: Reputation: 43
Question Links browser with secure connections: is this error normal?


Recently I have:

- compiled OpenSSL 1.1.0f and installed it in a user folder;

- compiled Links 2.14 with SSL support and also installed in a user folder.

Detailed comments about these two steps are given in another thread: "How to use OpenSSL installed in a different dir to compile Links?", which still has a question about SSL v2 and v3.

After compiling Links, the first page I visited was hotmail.com, which is redirected to another domain in a secure connection. But Links asked me:

==
Invalid certificate
The server mail.live.com doesn't have a valid certificate.
Do you want to connect to it anyway?
[No] [Yes]
==

After sometime, I tried other secure pages that work normally in other browsers. They also do not work with my Links:

duckduckgo.com
mail.yahoo.com
https://LQ.org/questions/login.php

For all of them, Links said their certificate is invalid, same question.

Is this normal? Is it because I compiled from source? Is it because SSL v2 and v3 are not working, as I showed/asked in the other thread?

Last edited by dedec0; 06-05-2017 at 07:38 AM.
 
Old 06-04-2017, 08:46 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,494
Blog Entries: 28

Rep: Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433
I just went to https://duckduckgo.com and https://LQ.org/questions/login.php in links with no errors. This was the default links that comes with Slackware.
 
Old 06-04-2017, 09:33 PM   #3
dedec0
Senior Member
 
Registered: May 2007
Posts: 1,143

Original Poster
Rep: Reputation: 43
Thank you for the test, frankbell. I suppose that hotmail.com would also load with no error for you. I cannot understand why the certificates are considered invalid in my computer.

Links is not installed in a machine I use. And I have no root access to it. I compiled and installed Links there just for me. And, before that, compiling and installing OpenSSL was needed.
 
Old 06-04-2017, 10:16 PM   #4
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 17,494
Blog Entries: 28

Rep: Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433Reputation: 5433
What distro is on the machine you were using links on?
 
Old 06-05-2017, 06:04 AM   #5
dedec0
Senior Member
 
Registered: May 2007
Posts: 1,143

Original Poster
Rep: Reputation: 43
Question

Quote:
Originally Posted by frankbell View Post
What distro is on the machine you were using links on?
Does it matter? I compiled both Links and OpenSSL from source, current versions.

There are several machines I can run the Links I built. They are Ubuntu 14.04.5 LTS and 16.04.2 LTS. Right now, I have tested in both kinds of machines, the behaviour is exactly the same.

Last edited by dedec0; 06-05-2017 at 07:41 PM.
 
Old 06-05-2017, 07:15 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by dedec0 View Post
I cannot understand why the certificates are considered invalid in my computer.
Officially-issued SSL certificates are not autonomous but are chained all the way up to the Certificate Authority (CA) that issued them. That's also why you get errors with self-signed certs as there is no CA to validate them. My first hunch would be it's not finding root certs to work with.


Quote:
Originally Posted by dedec0 View Post
Does it matter? I compiled both Links ann OpenSSL from source, current versions.
Yes how and where you installed software and dependencies matters yuugely, because from reading this:


Quote:
Originally Posted by dedec0 View Post
Links is not installed in a machine I use. And I have no root access to it. I compiled and installed Links there just for me. And, before that, compiling and installing OpenSSL was needed.
...we can understand the SSL warning may not be caused by some common error but brought on by doing things in a non-standard way. (And probably SSL libraries were installed but not the development libraries needed for compiling software.) The first best way to fix things good would be to undo whatever it is you did and ask the admin to install (e)links properly for you. And IMHO there should be no valid reason not to do so.

*Should you want to pursue the alternative anyway (YMMVM) then first run some diags: see if you can spot a difference when doing 'true | /path/to/your/custom/openssl s_client -connect mail.live.com:443;' vs 'true | /usr/bin/openssl s_client -connect mail.live.com:443;'. If there is then ensure your (SSL) development libraries match the versions on each system and ensure the compile time configuration for finding /etc/pki (or wherever SSL asserts its certificate structure is located at) matches each system. (There's prolly SSL-related configuration files or environment variables to do so but that may or may not work and will most likely bite you when you decide more applications dependant on SSL.)
 
Old 06-05-2017, 08:46 AM   #7
dedec0
Senior Member
 
Registered: May 2007
Posts: 1,143

Original Poster
Rep: Reputation: 43
Question

Quote:
Originally Posted by unSpawn View Post
...we can understand the SSL warning may not be caused by some common error but brought on by doing things in a non-standard way.
That may be possible. Although it is not the most common scenario, it is not something that should fail.

Quote:
(And probably SSL libraries were installed but not the development libraries needed for compiling software.)
This is possibly true. But I imagine that if some development library was missing for OpenSSL or for Links, their configure script should have warned me - is this idea wrong? If some certificate is also needed (not just the OpenSSL dev. lib.), it should be pointed with a different option - right?

As said in the first post of this thread, and in the other thread about OpenSSL+Links in different dirs, Links' configure script said that SSL v2 and V3 were not enabled. Until now, no-one commented that detail in both threads. I would choose to enable them, but I have not seen the reason for them being disabled. There is no option specifically to SSL v2 or v3 in Links' configure script.

Quote:
The first best way to fix things good would be to undo whatever it is you did and ask the admin to install (e)links properly for you. And IMHO there should be no valid reason not to do so.
This is not an option, for reasons not chosen by me. And I want to be able to fully build and install Links - why not?

Quote:
*Should you want to pursue the alternative anyway (YMMVM) then first run some diags: see if you can spot a difference when doing 'true | /path/to/your/custom/openssl s_client -connect mail.live.com:443;' vs 'true | /usr/bin/openssl s_client -connect mail.live.com:443;'. If there is then ensure your (SSL) development libraries match the versions on each system and ensure the compile time configuration for finding /etc/pki (or wherever SSL asserts its certificate structure is located at) matches each system. (There's prolly SSL-related configuration files or environment variables to do so but that may or may not work and will most likely bite you when you decide more applications dependant on SSL.)
Is the output of these two commands safe to be pasted here? I ran both, and they are different. I would like to show to you, but tell me if I should edit something in these lines' outputs before copying them here.

Last edited by dedec0; 06-05-2017 at 08:52 AM.
 
Old 06-05-2017, 09:22 AM   #8
dedec0
Senior Member
 
Registered: May 2007
Posts: 1,143

Original Poster
Rep: Reputation: 43
Question

Quote:
Originally Posted by unSpawn View Post
[...] (YMMVM) [...]
YMMVM? What is that? I could only find YMMV: onlineslangdictionary.com/meaning-definition-of/ymmv (says it is "your mileage may vary").

Last edited by dedec0; 06-11-2017 at 04:57 PM.
 
Old 06-06-2017, 12:27 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by dedec0 View Post
That may be possible. Although it is not the most common scenario, it is not something that should fail.
If you do things "By the Book", that is install pre-packaged software, this error would not occur.


Quote:
Originally Posted by dedec0 View Post
This is possibly true. But I imagine that if some development library was missing for OpenSSL or for Links, their configure script should have warned me - is this idea wrong?
No, that's correct.


Quote:
Originally Posted by dedec0 View Post
If some certificate is also needed (not just the OpenSSL dev. lib.), it should be pointed with a different option - right?
Yes, with "--openssldir". However: if unset it'll default to "/usr/local/ssl". (See for yourself with '/path/to/your/custom/openssl version -d;' versus '/usr/bin/openssl version -d;'.)


Quote:
Originally Posted by dedec0 View Post
As said in the first post of this thread, and in the other thread about OpenSSL+Links in different dirs, Links' configure script said that SSL v2 and V3 were not enabled. Until now, no-one commented that detail in both threads. I would choose to enable them, but I have not seen the reason for them being disabled. There is no option specifically to SSL v2 or v3 in Links' configure script.
You must not use SSLv2 or SSLv3 as they're whorribly insecure, ancient, blisteringly outdated, deprecated, you get it.


Quote:
Originally Posted by dedec0 View Post
This is not an option, for reasons not chosen by me. And I want to be able to fully build and install Links - why not?
Shame you didn't elaborate why not.


Quote:
Originally Posted by dedec0 View Post
Is the output of these two commands safe to be pasted here? I ran both, and they are different. I would like to show to you, but tell me if I should edit something in these lines' outputs before copying them here.
Basically what you'll be posting is diagnostic output of openssl interpreting how it should validate encountered remote certs. So as long as those certs are publicly accessible and the FQDN is not (in)directly linked to anything you would not want to associate yourself with publicly then there's no harm in sharing that nfo.


Quote:
Originally Posted by dedec0 View Post
YMMVM? What is that? I could only find YMMV: onlineslangdictionary.com/meaning-definition-of/ymmv
Yes, that should read YMMV(VM) as in "Your Mileage May Vary (Very Much)" ;-p
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is the links text browser safer than a GUI browser? whois Linux - Software 5 10-31-2014 09:41 PM
LXer: More Secure SSH Connections LXer Syndicated Linux News 0 04-01-2014 05:12 AM
S L O W secure connections on debian router maerkis Linux - Networking 1 04-03-2008 10:19 AM
Two connections -one backup - one normal ?? ALInux Linux - Networking 3 02-09-2006 08:40 AM
Creating Secure SMB Connections scottpioso Linux - Networking 17 12-03-2003 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration