[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS. |
Date: |
Mon, 6 May 2013 20:58:54 +0200 |
User-agent: |
KMail/1.13.7 (Linux/3.7-trunk-amd64; KDE/4.8.4; x86_64; ; ) |
Ok, thanks.
Your patch should go into git.
Looks like, handling other non-fatal events needs some deeper knowledge
(except GNUTLS_E_INTERRUPTED, which should not occur).
Whenever the need arises...
Regards, Tim
Am Montag, 6. Mai 2013 schrieb mancha:
> Hi.
>
> You are right that GNUTLS_E_WARNING_ALERT_RECEIVED is not the only
> non-fatal return value. In GnuTLS 2.12.x there's
> GNUTLS_E_INTERRUPTED,
> GNUTLS_E_REHANDSHAKE, GNUTLS_E_WARNING_IA_IPHF_RECEIVED, and
> GNUTLS_E_WARNING_IA_FPHF_RECEIVED.
>
> My patch only addresses non-fatal *alerts* (a subset of non-fatal
> errors) so theoretically the loop is logically equivalent to:
>
> do
> [code]
> while (err == GNUTLS_E_WARNING_ALERT_RECEIVED);
>
> My first version of the patch relied entirely on
> gnutls_error_is_fatal() like your example. However, I decided
> to narrow down the scope because I didn't feel familiar enough
> with potential side-effects of ignoring other non-fatal events.
>
> As to re-handshake requests, wget doesn't handle those (something
> to work on).
>
> --mancha
>
> On Mon, 06 May 2013 08:24:50 +0000 "Tim Ruehsen"
> <address@hidden> wrote:
> >Hi,
> >
> >thanks for your work to improve wget !
> >
> >Are you shure, there are no other non-fatal return values ?
> >e.g. GNUTLS_E_REHANDSHAKE
> >
> >AFAIK, a GnuTLS example that also uses a handshake loop, but
> >relies completely
> >on gnutls_error_is_fatal():
> >
> >// simplified version without timeout handling
> >do {
> > ret = gnutls_handshake(session);
> >} while (ret != 0 && !gnutls_error_is_fatal(ret));
> >
> >Regards, Tim
> >
> >Am Sunday 05 May 2013 schrieb mancha:
> >> Hello.
> >>
> >> wget, built against GnuTLS, terminates SSL/TLS handshakes
> >> upon receiving any error alert (including non-fatal ones).
> >>
> >> This creates a problem when connecting to servers that support
> >> TLS-SNI and reply with a warning-level unrecognized name alert
> >> (eg. due to misconfiguration).
> >>
> >> My patch changes wget's behavior to ignore warning-level alerts
> >> during client/server hello and provides more detailed logging.
> >The
> >> patch's compound conditional is not strictly necessary because
> >> GNUTLS_E_WARNING_ALERT_RECEIVED is non-fatal but a check on the
> >> latter is included as a fail-safe. It applies cleanly to
> >> address@hidden
> >>
> >> Ignoring non-fatal alerts during handshake is consistent with
> >> Firefox and Chrome behavior.
> >>
> >> I set up a server to replicate unrecognized_name alert
> >conditions:
> >>
> >> A. Current behavior:
> >>
> >> [warning-level alert]
> >> $ wget https://localhost
> >> --2013-05-05 08:18:35-- https://localhost/
> >> Resolving localhost (localhost)... 127.0.0.1
> >> Connecting to localhost (localhost)|127.0.0.1|:443...
> >connected.
> >> GnuTLS: A TLS warning alert has been received.
> >> Unable to establish SSL connection.
> >>
> >> [fatal-level alert]
> >> $ wget https://localhost
> >> --2013-05-05 08:20:52-- https://localhost/
> >> Resolving localhost (localhost)... 127.0.0.1
> >> Connecting to localhost (localhost)|127.0.0.1|:443...
> >connected.
> >> GnuTLS: A TLS fatal alert has been received.
> >> Unable to establish SSL connection.
> >>
> >> B. Behavior after patch:
> >>
> >> [warning-level alert]
> >> $ wget https://localhost
> >> --2013-05-05 08:01:40-- https://localhost/
> >> Resolving localhost (localhost)... 127.0.0.1
> >> Connecting to localhost (localhost)|127.0.0.1|:443...
> >connected.
> >> GnuTLS: A TLS warning alert has been received.
> >> GnuTLS: received alert [112]: The server name sent was not
> >> recognized
> >> HTTP request sent, awaiting response... 200 OK
> >> Length: unspecified [text/html]
> >> Saving to: 'index.html'
> >>
> >> [fatal-level alert]
> >> $ wget https://localhost
> >> --2013-05-05 08:03:27-- https://localhost/
> >> Resolving localhost (localhost)... 127.0.0.1
> >> Connecting to localhost (localhost)|127.0.0.1|:443...
> >connected.
> >> GnuTLS: A TLS fatal alert has been received.
> >> GnuTLS: received alert [112]: The server name sent was not
> >> recognized
> >> Unable to establish SSL connection.
> >>
> >> Cheers and thank you for wget!
> >>
> >> --mancha
>
>