[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
|
From: |
Tim Ruehsen |
|
Subject: |
Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS. |
|
Date: |
Mon, 6 May 2013 10:24:36 +0200 |
|
User-agent: |
KMail/1.13.7 (Linux/3.2.0-4-amd64; KDE/4.8.4; x86_64; ; ) |
Hi,
thanks for your work to improve wget !
Are you shure, there are no other non-fatal return values ?
e.g. GNUTLS_E_REHANDSHAKE
AFAIK, a GnuTLS example that also uses a handshake loop, but relies completely
on gnutls_error_is_fatal():
// simplified version without timeout handling
do {
ret = gnutls_handshake(session);
} while (ret != 0 && !gnutls_error_is_fatal(ret));
Regards, Tim
Am Sunday 05 May 2013 schrieb mancha:
> Hello.
>
> wget, built against GnuTLS, terminates SSL/TLS handshakes
> upon receiving any error alert (including non-fatal ones).
>
> This creates a problem when connecting to servers that support
> TLS-SNI and reply with a warning-level unrecognized name alert
> (eg. due to misconfiguration).
>
> My patch changes wget's behavior to ignore warning-level alerts
> during client/server hello and provides more detailed logging. The
> patch's compound conditional is not strictly necessary because
> GNUTLS_E_WARNING_ALERT_RECEIVED is non-fatal but a check on the
> latter is included as a fail-safe. It applies cleanly to
> address@hidden
>
> Ignoring non-fatal alerts during handshake is consistent with
> Firefox and Chrome behavior.
>
> I set up a server to replicate unrecognized_name alert conditions:
>
> A. Current behavior:
>
> [warning-level alert]
> $ wget https://localhost
> --2013-05-05 08:18:35-- https://localhost/
> Resolving localhost (localhost)... 127.0.0.1
> Connecting to localhost (localhost)|127.0.0.1|:443... connected.
> GnuTLS: A TLS warning alert has been received.
> Unable to establish SSL connection.
>
> [fatal-level alert]
> $ wget https://localhost
> --2013-05-05 08:20:52-- https://localhost/
> Resolving localhost (localhost)... 127.0.0.1
> Connecting to localhost (localhost)|127.0.0.1|:443... connected.
> GnuTLS: A TLS fatal alert has been received.
> Unable to establish SSL connection.
>
> B. Behavior after patch:
>
> [warning-level alert]
> $ wget https://localhost
> --2013-05-05 08:01:40-- https://localhost/
> Resolving localhost (localhost)... 127.0.0.1
> Connecting to localhost (localhost)|127.0.0.1|:443... connected.
> GnuTLS: A TLS warning alert has been received.
> GnuTLS: received alert [112]: The server name sent was not
> recognized
> HTTP request sent, awaiting response... 200 OK
> Length: unspecified [text/html]
> Saving to: 'index.html'
>
> [fatal-level alert]
> $ wget https://localhost
> --2013-05-05 08:03:27-- https://localhost/
> Resolving localhost (localhost)... 127.0.0.1
> Connecting to localhost (localhost)|127.0.0.1|:443... connected.
> GnuTLS: A TLS fatal alert has been received.
> GnuTLS: received alert [112]: The server name sent was not
> recognized
> Unable to establish SSL connection.
>
> Cheers and thank you for wget!
>
> --mancha