[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.

From:	mancha
Subject:	[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Date:	Sun, 05 May 2013 16:44:46 +0000

Hello.

wget, built against GnuTLS, terminates SSL/TLS handshakes
upon receiving any error alert (including non-fatal ones).

This creates a problem when connecting to servers that support
TLS-SNI and reply with a warning-level unrecognized name alert
(eg. due to misconfiguration).

My patch changes wget's behavior to ignore warning-level alerts
during client/server hello and provides more detailed logging. The
patch's compound conditional is not strictly necessary because
GNUTLS_E_WARNING_ALERT_RECEIVED is non-fatal but a check on the
latter is included as a fail-safe. It applies cleanly to
address@hidden

Ignoring non-fatal alerts during handshake is consistent with
Firefox and Chrome behavior.

I set up a server to replicate unrecognized_name alert conditions:

A. Current behavior:

   [warning-level alert]
   $ wget https://localhost
   --2013-05-05 08:18:35--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS warning alert has been received.
   Unable to establish SSL connection.

   [fatal-level alert]
   $ wget https://localhost
   --2013-05-05 08:20:52--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS fatal alert has been received.
   Unable to establish SSL connection.

B. Behavior after patch:

   [warning-level alert]
   $ wget https://localhost
   --2013-05-05 08:01:40--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS warning alert has been received.
   GnuTLS: received alert [112]: The server name sent was not 
recognized
   HTTP request sent, awaiting response... 200 OK
   Length: unspecified [text/html]
   Saving to: 'index.html'

   [fatal-level alert]
   $ wget https://localhost
   --2013-05-05 08:03:27--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS fatal alert has been received.
   GnuTLS: received alert [112]: The server name sent was not 
recognized
   Unable to establish SSL connection.

Cheers and thank you for wget!

--mancha

0001-gnutls-do-not-abort-on-non-fatal-alerts-during-hands.patch
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS., mancha <=
- Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS., Tim Ruehsen, 2013/05/06

Prev by Date: Re: [Bug-wget] Segmentation fault with current development version of wget
Next by Date: Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Previous by thread: [Bug-wget] IMPORTANT CHANGES Re: Wget Wgiki
Next by thread: Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Index(es):
- Date
- Thread