[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Test certificate host name verification fails with GnuTLS
From: |
Ludovic Courtès |
Subject: |
Re: [Bug-wget] Test certificate host name verification fails with GnuTLS 3.5.12+ |
Date: |
Sun, 09 Jul 2017 21:26:04 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Hi Tim,
Tim Rühsen <address@hidden> skribis:
> On Samstag, 8. Juli 2017 15:32:44 CEST Ludovic Courtès wrote:
>> Hello,
>>
>> I experienced the test failure reported at
>> <https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for
>> ‘testenv/Test--https.py’ and related tests with:
>>
>> The certificate's owner does not match hostname
>>
>> There’s no problem when wget is built against GnuTLS 3.5.9; the test
>> failure shows up when wget is built against GnuTLS 3.5.13.
>>
>> After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’:
>>
>> --8<---------------cut here---------------start------------->8---
>> ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP
>> addresses against DNS fields of certificate (CN or DNSname). The previous
>> behavior was to tolerate some misconfigured servers, but that was
>> non-standard and skipped any IP constraints present in higher level
>> certificates. --8<---------------cut
>> here---------------end--------------->8---
>>
>> I think the fix is (1) to explicitly regenerate test certificates that
>> use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a
>> dnsName of the subject of the certificate”), and (2) to use “localhost”
>> instead of “127.0.0.1” in test URIs.
>>
>> Thoughts?
>
> Thanks again, fixed now by
>
> - hard-coding the server domain to 'localhost'
> - replacing 127.0.0.1 by localhost in several tests
> - regenerating the server cert and crl files
Awesome, thanks for the quick reply!
Ludo’.