bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Overly permissive hostname matching


From: Jeffrey Walton
Subject: Re: [Bug-wget] Overly permissive hostname matching
Date: Tue, 18 Mar 2014 18:36:51 -0400

Hi Tim,

On Tue, Mar 18, 2014 at 5:31 PM, Tim Rühsen <address@hidden> wrote:
> ...
> BTW, to reproduce the issue I used a GnuTLS compiled/linked version of Wget:
>
> $ wget -d --ca-certificate=ca-rsa-cert.pem --private-key=ca-rsa-key-plain.pem
> https://example.com:8443
> 2014-03-18 21:48:04 (1.88 GB/s) - Read error at byte 5116 (The TLS connection
> was non-properly terminated.).Retrying.
>
> There seems to be a problem in Wget 1.15 (on Debian SID)...
Confirmed on wheezy. I thought it was my OpenSSL server.

> But despite from that, Wget uses the hostname checking facility of the GnuTLS
> library (or of OpenSSL library if appropriately compiled).
OpenSSL won't have hostname checking until 1.0.2. See the CHANGELOG at
https://www.openssl.org/news/changelog.html.

(Mentioned in case you thought wget was performing it via OpenSSL).

> IHMO, the Public Suffix List (PSL) should not only be used to verify cookies 
> but
> also be used for certificate hostname checking.
+1

Jeff



reply via email to

[Prev in Thread] Current Thread [Next in Thread]