[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
From: |
mancha |
Subject: |
[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS. |
Date: |
Sun, 05 May 2013 16:44:46 +0000 |
Hello.
wget, built against GnuTLS, terminates SSL/TLS handshakes
upon receiving any error alert (including non-fatal ones).
This creates a problem when connecting to servers that support
TLS-SNI and reply with a warning-level unrecognized name alert
(eg. due to misconfiguration).
My patch changes wget's behavior to ignore warning-level alerts
during client/server hello and provides more detailed logging. The
patch's compound conditional is not strictly necessary because
GNUTLS_E_WARNING_ALERT_RECEIVED is non-fatal but a check on the
latter is included as a fail-safe. It applies cleanly to
address@hidden
Ignoring non-fatal alerts during handshake is consistent with
Firefox and Chrome behavior.
I set up a server to replicate unrecognized_name alert conditions:
A. Current behavior:
[warning-level alert]
$ wget https://localhost
--2013-05-05 08:18:35-- https://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
GnuTLS: A TLS warning alert has been received.
Unable to establish SSL connection.
[fatal-level alert]
$ wget https://localhost
--2013-05-05 08:20:52-- https://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
GnuTLS: A TLS fatal alert has been received.
Unable to establish SSL connection.
B. Behavior after patch:
[warning-level alert]
$ wget https://localhost
--2013-05-05 08:01:40-- https://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
GnuTLS: A TLS warning alert has been received.
GnuTLS: received alert [112]: The server name sent was not
recognized
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'
[fatal-level alert]
$ wget https://localhost
--2013-05-05 08:03:27-- https://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [112]: The server name sent was not
recognized
Unable to establish SSL connection.
Cheers and thank you for wget!
--mancha
0001-gnutls-do-not-abort-on-non-fatal-alerts-during-hands.patch
Description: Binary data
- [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.,
mancha <=