[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Overly permissive hostname matching

From: Tim Rühsen
Subject: Re: [Bug-wget] Overly permissive hostname matching
Date: Tue, 18 Mar 2014 22:31:11 +0100
User-agent: KMail/4.11.5 (Linux/3.13-1-amd64; KDE/4.11.5; x86_64; ; )

Hi Jeffrey,

thanks for pointing this out.

BTW, to reproduce the issue I used a GnuTLS compiled/linked version of Wget:

$ wget -d --ca-certificate=ca-rsa-cert.pem --private-key=ca-rsa-key-plain.pem 
2014-03-18 21:48:04 (1.88 GB/s) - Read error at byte 5116 (The TLS connection 
was non-properly terminated.).Retrying.

There seems to be a problem in Wget 1.15 (on Debian SID)...

But despite from that, Wget uses the hostname checking facility of the GnuTLS 
library (or of OpenSSL library if appropriately compiled). And I saw you 
already addressed bug-gnutls, which seems the right way to go.

IHMO, the Public Suffix List (PSL) should not only be used to verify cookies 
also be used for certificate hostname checking.

Libraries as GnuTLS should offer an API for this kind of checking, best would 
be having the PSL as a separate file, maintained by the distribution 
maintainers (or the user, if he wants to to it). The SSL library should 
load/unload the PSL under the applications control.

Maybe it would be a good idea to provide a separate PSL library that could be 
used by SSL libraries for hostname checking and HTTP(S) clients for cookie 

If of any interest, there is already some LGPLed code at
There are also some unit test routines in the project.

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]