[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] OpenSSL 1.1.0
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] OpenSSL 1.1.0 |
|
Date: |
Wed, 29 Jun 2016 13:22:07 +0200 |
|
User-agent: |
KMail/4.14.10 (Linux/4.6.0-1-amd64; KDE/4.14.21; x86_64; ; ) |
On Wednesday 29 June 2016 00:10:34 Ángel González wrote:
> On 28/06/16 22:16, Tim Rühsen wrote:
> > Patching src/openssl.c for 1.1.0 (see below) let it compile.
> > But the HTTPS tests fail due to
> >
> > ERROR: cannot verify localhost's certificate, issued by
> > 'O=GNU,OU=Wget,CN=GNU>
> > Wget':
> > unsupported certificate purpose
> >
> > Any idea ?
>
> server-cert.pem has the following extensions:
> Key Usage
> Usages: Revocation list signature
> Critical: Yes
>
> Extended Key Usage
> Allowed Purposes: Server Authentication
> Critical: No
>
>
> Looks like the second extension isn't supported by OpenSSL 1.1.0, and
> Server Authentication not being in Key Usage, it is rejected.
>
> Recreate this certificate with no Key Usage at all would probably fix
> it. I'm not sure about the required steps, though.
Just pushed a commit with a shell script to automatically generate the files
in testenv/certs. Built with GnuTLS, wget passes the tests.
With OpenSSL 1.1.0 (+ my patch + freshly generated certs), wget spins at all
HTTPS tests, eating up 100% CPU.
With OpenSSL 1.1.0 (+ my patch + old certs), wget spins only in Test-
pinnedpubkey-der-no-check-https.py. The other HTTPS tests fail.
With a little debug output, I verified that SSL_peek() does not return (and
spins). Here is wget / valgrind output:
Setting --no-config (noconfig) to 1
Setting --check-certificate (checkcertificate) to 0
Setting --pinnedpubkey (pinnedpubkey) to
/usr/oms/src/wget1.x/testenv/certs/server-pubkey.der
DEBUG output created by Wget 1.18.7-4335 on linux-gnu.
Reading HSTS entries from /usr/oms/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'File1' (UTF-8) -> 'File1' (UTF-8)
--2016-06-29 13:15:01-- https://127.0.0.1:34755/File1
Connecting to 127.0.0.1:34755... connected.
Created socket 3.
Releasing 0x00000000093d49d0 (new refcount 0).
Deleting unused 0x00000000093d49d0.
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000093d4b90
certificate:
subject: O=GNU,OU=Wget,CN=127.0.0.1
issuer: O=GNU,OU=Wget,CN=GNU Wget
WARNING: cannot verify 127.0.0.1's certificate, issued by
‘O=GNU,OU=Wget,CN=GNU Wget’:
Unable to locally verify the issuer's authority.
---request begin---
GET /File1 HTTP/1.1
User-Agent: Wget/1.18.7-4335 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 127.0.0.1:34755
Connection: Keep-Alive
---request end---
127.0.0.1 - - [29/Jun/2016 13:15:02] "GET /File1 HTTP/1.1" 200 -
HTTP request sent, awaiting response...
[Here is spins - killing memcheck process after a while:]
==560==
==560== Process terminating with default action of signal 15 (SIGTERM)
==560== at 0x54D802A: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
==560== by 0x54DDFB5: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
==560== by 0x54E7B56: SSL_peek (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
==560== by 0x4360BC: openssl_peek (openssl.c:420)
==560== by 0x429BEC: fd_read_hunk (retr.c:513)
==560== by 0x41D546: read_http_response_head (http.c:575)
==560== by 0x41D546: gethttp (http.c:3162)
==560== by 0x42074F: http_loop (http.c:3975)
==560== by 0x42AB75: retrieve_url (retr.c:817)
==560== by 0x406C72: main (main.c:1947)
==560==
This kind of error could be anything... but OpenSSL should not behave like
that at all... any ideas ?
Regards, Tim
signature.asc
Description: This is a digitally signed message part.