[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Test certificate host name verification fails with GnuTLS

From: Tim Rühsen
Subject: Re: [Bug-wget] Test certificate host name verification fails with GnuTLS 3.5.12+
Date: Sat, 08 Jul 2017 17:36:21 +0200
User-agent: KMail/5.2.3 (Linux/4.11.0-1-amd64; KDE/5.28.0; x86_64; ; )

On Samstag, 8. Juli 2017 15:32:44 CEST Ludovic Courtès wrote:
> Hello,
> I experienced the test failure reported at
> <https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for
> ‘testenv/Test--https.py’ and related tests with:
>   The certificate's owner does not match hostname
> There’s no problem when wget is built against GnuTLS 3.5.9; the test
> failure shows up when wget is built against GnuTLS 3.5.13.
> After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’:
> --8<---------------cut here---------------start------------->8---
> ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP
> addresses against DNS fields of certificate (CN or DNSname). The previous
> behavior was to tolerate some misconfigured servers, but that was
> non-standard and skipped any IP constraints present in higher level
> certificates. --8<---------------cut
> here---------------end--------------->8---
> I think the fix is (1) to explicitly regenerate test certificates that
> use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a
> dnsName of the subject of the certificate”), and (2) to use “localhost”
> instead of “” in test URIs.

Thanks, Ludo.

The issue is reproducible with the new version of GnuTLS.
Changing the certs is straight forward, there are .cfg files and a make_ca.sh 
script doing that.
But the python test suite itself needs a change, so that {{SRV_HOST}} gets 
replaced by 'localhost' instead of the first IP that localhost resolves to.

Obviously, my python isn't good enough to find and change that place.
@Darshit Need your help here

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]