[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] OpenSSL 1.1.0
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] OpenSSL 1.1.0 |
Date: |
Wed, 29 Jun 2016 10:05:45 +0200 |
User-agent: |
KMail/4.14.10 (Linux/4.6.0-1-amd64; KDE/4.14.21; x86_64; ; ) |
On Wednesday 29 June 2016 00:10:34 Ángel González wrote:
> On 28/06/16 22:16, Tim Rühsen wrote:
> > Patching src/openssl.c for 1.1.0 (see below) let it compile.
> > But the HTTPS tests fail due to
> >
> > ERROR: cannot verify localhost's certificate, issued by
> > 'O=GNU,OU=Wget,CN=GNU>
> > Wget':
> > unsupported certificate purpose
> >
> > Any idea ?
>
> server-cert.pem has the following extensions:
> Key Usage
> Usages: Revocation list signature
> Critical: Yes
>
> Extended Key Usage
> Allowed Purposes: Server Authentication
> Critical: No
>
>
> Looks like the second extension isn't supported by OpenSSL 1.1.0, and
> Server Authentication not being in Key Usage, it is rejected.
>
> Recreate this certificate with no Key Usage at all would probably fix
> it. I'm not sure about the required steps, though.
Thanks for the hint, I'll check it out.
BTW, I documented the creation of the test certs in testenv/certs/README.
Meanwhile I saw that certtool supports also has a non-interactive mode... so
it would be possible to write a small shell script to automate the process of
creating the test keys/certs/crl etc.
Regards
signature.asc
Description: This is a digitally signed message part.