Re: [Bug-wget] Overly permissive hostname matching

[Tim Rühsen]

Hi Jeffrey,

thanks for pointing this out.

BTW, to reproduce the issue I used a GnuTLS compiled/linked version of Wget:

$ wget -d --ca-certificate=ca-rsa-cert.pem --private-key=ca-rsa-key-plain.pem 
https://example.com:8443
2014-03-18 21:48:04 (1.88 GB/s) - Read error at byte 5116 (The TLS connection 
was non-properly terminated.).Retrying.

There seems to be a problem in Wget 1.15 (on Debian SID)...


But despite from that, Wget uses the hostname checking facility of the GnuTLS 
library (or of OpenSSL library if appropriately compiled). And I saw you 
already addressed bug-gnutls, which seems the right way to go.

IHMO, the Public Suffix List (PSL) should not only be used to verify cookies 
but 
also be used for certificate hostname checking.

Libraries as GnuTLS should offer an API for this kind of checking, best would 
be having the PSL as a separate file, maintained by the distribution 
maintainers (or the user, if he wants to to it). The SSL library should 
load/unload the PSL under the applications control.

Maybe it would be a good idea to provide a separate PSL library that could be 
used by SSL libraries for hostname checking and HTTP(S) clients for cookie 
verification.

If of any interest, there is already some LGPLed code at
  https://github.com/rockdaboot/mget/blob/master/libmget/cookie.c
There are also some unit test routines in the project.

Regards, Tim

signature.asc
Description: This is a digitally signed message part.