Re: [Bug-wget] Overly permissive hostname matching

[Daniel Kahn Gillmor]

On 03/18/2014 05:31 PM, Tim Rühsen wrote:
> $ wget -d --ca-certificate=ca-rsa-cert.pem --private-key=ca-rsa-key-plain.pem 
> https://example.com:8443
> 2014-03-18 21:48:04 (1.88 GB/s) - Read error at byte 5116 (The TLS connection 
> was non-properly terminated.).Retrying.
> 
> There seems to be a problem in Wget 1.15 (on Debian SID)...

hm, i'll try to take a look at this.

> But despite from that, Wget uses the hostname checking facility of the GnuTLS 
> library (or of OpenSSL library if appropriately compiled). And I saw you 
> already addressed bug-gnutls, which seems the right way to go.
> 
> IHMO, the Public Suffix List (PSL) should not only be used to verify cookies 
> but 
> also be used for certificate hostname checking.
> 
> Libraries as GnuTLS should offer an API for this kind of checking, best would 
> be having the PSL as a separate file, maintained by the distribution 
> maintainers (or the user, if he wants to to it). The SSL library should 
> load/unload the PSL under the applications control.

that sounds really fiddly to me -- you want the application to know why
the TLS stack needs to know about the public suffix list, and to be able
to control it appropriately?

I think we need good sensible defaults, and a locally-cached,
frequently-updated copy of the public suffix list; then if we really
really want the application to be able to control the use of an
alternate suffix list we can provide an API for that, but i can't
imagine we'd want to require the application to specify anything (even
asking the application to load the default local PSL seems like too much
to expect from most apps that just want "to layer in some TLS").

> Maybe it would be a good idea to provide a separate PSL library that could be 
> used by SSL libraries for hostname checking and HTTP(S) clients for cookie 
> verification.

I maintain publicsuffix in debian, and i try to help on the gnutls side
of things too (both upstream and a little bit of kibbitzing about the
debian packaging).

debian has php, python, perl, and haskell bindings for the public suffix
list, but i don't think anyone has packaged a C library for it.

I've got discussion in my mailbox that i haven't processed in ages with
Florian Sager about packaging regdom-libs [0], though, and the library
looks like it's been revived a bit since i gave up on it last [1].  Do
you think this C interface would be a useful one or would you expect a
different API?

[0] http://www.dkim-reputation.org/regdom-libs/
[1] https://bugs.debian.org/683881

> If of any interest, there is already some LGPLed code at
>   https://github.com/rockdaboot/mget/blob/master/libmget/cookie.c
> There are also some unit test routines in the project.

hm, do you know if the libmget folks are willing to break that code out
separately?  linking to all of libmget doesn't sound like a good idea,
and it would be a shame to have to maintain separate copies of this
codebase.

        --dkg

signature.asc
Description: OpenPGP digital signature