sslelinks

SSL certificates and elinks

I sometimes use elinks for web browsing and it happens that some https sites fail to load because of an SSL error.

One example is https://www.rust-lang.org that doesn't load in elinks, but work fine other browsers like chromium and firefox.

Checking the https://www.rust-lang.org certificate with the command line give a very short output:

$ echo | openssl s_client -connect www.rust-lang.org:443 2>/dev/null
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1459658221
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

As a comparison google output is:

$ echo | openssl s_client -connect www.google.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIF8zP738syB4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMzIzMTk0MTQ0WhcNMTYwNjE1MTkyMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoxzls
wT/PC9gErDAme+LX9PAdv8270+BHCaNe/YxZE093ryPQq5PPKHsBNSzNvHwNfWuv
H3z/CBvaIiFgBimSm3cWOvjXipqTL5sHGkLr/RNAxmwo2dUKZ0LBUCXB4YvXkMb0
lI3XpgZk1CUzE7jj3HDgA+IOpT8JgbmKH19Z7+lwBzaunztBk8YM/LKrb9XtDzYW
diPkBwm0xx2dj2jCrj49Hvug9qAGQ5Zx8YuNrwR5qYXW/8aVB6MJ8r/ZLKzU39k3
nvp5ZylyGklJAuGneCblChzpR18ab8k2B/26qgCv7T4MLoAGRTbvTrZ0HxTj8aie
yI0+jZjRQjBeYwGPAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQKfpRDWX9xAx1/4SBXfKJdHrqPHjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiwUNf4uVHi1f8u1m
nd2vEHlOIQkNFLeuj9RPQfsFPL7fX/UzE5HbLzp1y4ICnRuCONKhz08YZ56pQ09A
+MfzIm0/e3yytHRf5f+YWATKkGtEh3pJdkOJM2UYIFFDs382a+bau7dTVyZFgMyS
m2Wlhw/zCLBgIebkSwsrrJAftwKu2AjvG6XJCUd08MSEe6UVF15COudEdVkKoDWR
ZmITWRFSFAeeJ5dKAzRojKVgGYV8tw6ByVKSizl5WS+hrXdD4IHkProKEFbSQgIv
Eyv87d8W8yscamZDU6Da+Djjxf07LkE3qDtd/RQY+IMm4V17ko6WfaV7ibionAA5
uAnzkw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: BBBB89FD38DF58981900A70A2F92A01E57888CF80B71AE19DE5F92EDE389D7FE
    Session-ID-ctx: 
    Master-Key: 80B4C5C3F81C7AFDAA226BB0285E9F9088737151CCB4EA742328C727363F9663997E68D757CB73B79EF8E3C90B622E12
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - ee 03 90 3e 12 a6 14 ba-f9 db 39 f7 6f 3c bf 58   ...>......9.o<.X
    0010 - 32 5d 0a 6f 08 cf 17 f9-16 49 91 c3 4f 99 50 01   2].o.....I..O.P.
    0020 - 6a 90 47 0a 7d 62 5e b8-26 ef 21 9f f3 df a9 35   j.G.}b^.&.!....5
    0030 - 17 90 53 cf 6a 1e d8 e7-ef d9 7a fc ea 80 c0 74   ..S.j.....z....t
    0040 - c2 ee ba e4 5c ef 04 38-45 58 75 f6 7f f4 cd 78   ....\..8EXu....x
    0050 - eb 31 5d be c2 c9 bb cd-dc c1 13 cc 81 84 48 39   .1]...........H9
    0060 - 12 52 43 ae c6 24 1b 6e-85 7f 23 90 ff 80 9c 11   .RC..$.n..#.....
    0070 - 49 e2 b4 c1 bf 32 08 e5-c4 55 84 de 46 77 d0 a1   I....2...U..Fw..
    0080 - 92 7b 7c 1b 54 a1 49 c2-b0 d7 b9 f8 65 d2 1d 19   .{|.T.I.....e...
    0090 - 2d 8e 5a 66 72 6c c8 50-7c d7 aa b8 58 28 7c 7d   -.Zfrl.P|...X(|}
    00a0 - 4c 64 1a 85                                       Ld..

    Start Time: 1459659110
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Why chromium and firefox get the right certificate and not elinks, and is there a way to read these sites in elinks?

Solution

  • You need to use Server Name Indication (SNI) to successfully access www.rust-lang.org. With openssl s_client this can be done by adding the -servername parameter:

    $ openssl s_client -connect www.rust-lang.org:443 \
   -servername www.rust-lang.org
...
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rust-lang.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

    All modern browser support SNI and it is heavily used in the internet. For instance all of Cloudflare Free SSL needs SNI. My guess is that the version of elinks you use does not support SNI yet. I've found a related bug report from 09/2015 against elinks 0.12pre6. Given that this version is still the newest version and that it looks like that development of elinks stopped in 2012 my guess is that the issue is still unresolved.