Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.

From:	Tim Rühsen
Subject:	Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Date:	Mon, 6 May 2013 20:58:54 +0200
User-agent:	KMail/1.13.7 (Linux/3.7-trunk-amd64; KDE/4.8.4; x86_64; ; )

Ok, thanks.

Your patch should go into git.

Looks like, handling other non-fatal events needs some deeper knowledge 
(except GNUTLS_E_INTERRUPTED, which should not occur).
Whenever the need arises...

Regards, Tim

Am Montag, 6. Mai 2013 schrieb mancha:
> Hi.
> 
> You are right that GNUTLS_E_WARNING_ALERT_RECEIVED is not the only
> non-fatal return value. In GnuTLS 2.12.x there's 
> GNUTLS_E_INTERRUPTED,
> GNUTLS_E_REHANDSHAKE, GNUTLS_E_WARNING_IA_IPHF_RECEIVED, and
> GNUTLS_E_WARNING_IA_FPHF_RECEIVED.
> 
> My patch only addresses non-fatal *alerts* (a subset of non-fatal
> errors) so theoretically the loop is logically equivalent to:
> 
> do
>  [code]
> while (err == GNUTLS_E_WARNING_ALERT_RECEIVED);
> 
> My first version of the patch relied entirely on
> gnutls_error_is_fatal() like your example. However, I decided
> to narrow down the scope because I didn't feel familiar enough
> with potential side-effects of ignoring other non-fatal events.
> 
> As to re-handshake requests, wget doesn't handle those (something
> to work on).
> 
> --mancha
> 
> On Mon, 06 May 2013 08:24:50 +0000 "Tim Ruehsen" 
> <address@hidden> wrote:
> >Hi,
> >
> >thanks for your work to improve wget !
> >
> >Are you shure, there are no other non-fatal return values ?
> >e.g. GNUTLS_E_REHANDSHAKE
> >
> >AFAIK, a GnuTLS example that also uses a handshake loop, but 
> >relies completely 
> >on gnutls_error_is_fatal():
> >
> >// simplified version without timeout handling
> >do {
> >     ret = gnutls_handshake(session);
> >} while (ret != 0 && !gnutls_error_is_fatal(ret));
> >
> >Regards, Tim
> >
> >Am Sunday 05 May 2013 schrieb mancha:
> >> Hello.
> >> 
> >> wget, built against GnuTLS, terminates SSL/TLS handshakes
> >> upon receiving any error alert (including non-fatal ones).
> >> 
> >> This creates a problem when connecting to servers that support
> >> TLS-SNI and reply with a warning-level unrecognized name alert
> >> (eg. due to misconfiguration).
> >> 
> >> My patch changes wget's behavior to ignore warning-level alerts
> >> during client/server hello and provides more detailed logging. 
> >The
> >> patch's compound conditional is not strictly necessary because
> >> GNUTLS_E_WARNING_ALERT_RECEIVED is non-fatal but a check on the
> >> latter is included as a fail-safe. It applies cleanly to
> >> address@hidden
> >> 
> >> Ignoring non-fatal alerts during handshake is consistent with
> >> Firefox and Chrome behavior.
> >> 
> >> I set up a server to replicate unrecognized_name alert 
> >conditions:
> >> 
> >> A. Current behavior:
> >> 
> >>    [warning-level alert]
> >>    $ wget https://localhost
> >>    --2013-05-05 08:18:35--  https://localhost/
> >>    Resolving localhost (localhost)... 127.0.0.1
> >>    Connecting to localhost (localhost)|127.0.0.1|:443... 
> >connected.
> >>    GnuTLS: A TLS warning alert has been received.
> >>    Unable to establish SSL connection.
> >> 
> >>    [fatal-level alert]
> >>    $ wget https://localhost
> >>    --2013-05-05 08:20:52--  https://localhost/
> >>    Resolving localhost (localhost)... 127.0.0.1
> >>    Connecting to localhost (localhost)|127.0.0.1|:443... 
> >connected.
> >>    GnuTLS: A TLS fatal alert has been received.
> >>    Unable to establish SSL connection.
> >> 
> >> B. Behavior after patch:
> >> 
> >>    [warning-level alert]
> >>    $ wget https://localhost
> >>    --2013-05-05 08:01:40--  https://localhost/
> >>    Resolving localhost (localhost)... 127.0.0.1
> >>    Connecting to localhost (localhost)|127.0.0.1|:443... 
> >connected.
> >>    GnuTLS: A TLS warning alert has been received.
> >>    GnuTLS: received alert [112]: The server name sent was not
> >> recognized
> >>    HTTP request sent, awaiting response... 200 OK
> >>    Length: unspecified [text/html]
> >>    Saving to: 'index.html'
> >> 
> >>    [fatal-level alert]
> >>    $ wget https://localhost
> >>    --2013-05-05 08:03:27--  https://localhost/
> >>    Resolving localhost (localhost)... 127.0.0.1
> >>    Connecting to localhost (localhost)|127.0.0.1|:443... 
> >connected.
> >>    GnuTLS: A TLS fatal alert has been received.
> >>    GnuTLS: received alert [112]: The server name sent was not
> >> recognized
> >>    Unable to establish SSL connection.
> >> 
> >> Cheers and thank you for wget!
> >> 
> >> --mancha
> 
>

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS., mancha, 2013/05/06
- Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS., Tim Rühsen <=
  - Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS., Giuseppe Scrivano, 2013/05/06
    - Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS aler ts with GnuTLS., mancha, 2013/05/07

Prev by Date: Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Next by Date: Re: [Bug-wget] Segmentation fault with current development version of wget
Previous by thread: Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Next by thread: Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
Index(es):
- Date
- Thread