Hi, could it be, that the text-browsers (lynx, links, w3m) don't even bother comparing the actual server name to the certificate's "issued for" entry? I just tested these and none complained: - lynx 2.8.5dev.2 (with OpenSSL 0.9.6a) - links 0.96 - w3m 0.1.11-pre (all on Mandrake Linux 8.1) Neither did any of them complain when accessing a https web page with a self-made certificate. Regards, K. > Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also > vulnerable. I've got no warning when entering on this page. I've tested it > also with lynx 2.8.4rel.1 (compiled with OpenSSL 0.9.6a on FreeBSD) with the > same result. > > -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** > NIC-HDL: PMF9-RIPE * > * Inet: przemyslaw@frasunek.com ** PGP: > D48684904685DF43EA93AFA13BE170BF *
