[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] OpenSSL 1.1.0

From: Tim Ruehsen
Subject: Re: [Bug-wget] OpenSSL 1.1.0
Date: Wed, 29 Jun 2016 13:22:07 +0200
User-agent: KMail/4.14.10 (Linux/4.6.0-1-amd64; KDE/4.14.21; x86_64; ; )

On Wednesday 29 June 2016 00:10:34 Ángel González wrote:
> On 28/06/16 22:16, Tim Rühsen wrote:
> > Patching src/openssl.c for 1.1.0 (see below) let it compile.
> > But the HTTPS tests fail due to
> > 
> > ERROR: cannot verify localhost's certificate, issued by
> > 'O=GNU,OU=Wget,CN=GNU> 
> > Wget':
> >    unsupported certificate purpose
> > 
> > Any idea ?
> server-cert.pem has the following extensions:
> Key Usage
> Usages:    Revocation list signature
> Critical:    Yes
> Extended Key Usage
> Allowed Purposes:    Server Authentication
> Critical:    No
> Looks like the second extension isn't supported by OpenSSL 1.1.0, and
> Server Authentication not being in Key Usage, it is rejected.
> Recreate this certificate with no Key Usage at all would probably fix
> it. I'm not sure about the required steps, though.

Just pushed a commit with a shell script to automatically generate the files 
in testenv/certs. Built with GnuTLS, wget passes the tests.

With OpenSSL 1.1.0 (+ my patch + freshly generated certs), wget spins at all 
HTTPS tests, eating up 100% CPU.

With OpenSSL 1.1.0 (+ my patch + old certs), wget spins only in Test-
pinnedpubkey-der-no-check-https.py. The other HTTPS tests fail.

With a little debug output, I verified that SSL_peek() does not return (and 
spins). Here is wget / valgrind output:

Setting --no-config (noconfig) to 1
Setting --check-certificate (checkcertificate) to 0
Setting --pinnedpubkey (pinnedpubkey) to 
DEBUG output created by Wget 1.18.7-4335 on linux-gnu.

Reading HSTS entries from /usr/oms/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'File1' (UTF-8) -> 'File1' (UTF-8)
--2016-06-29 13:15:01--
Connecting to connected.
Created socket 3.
Releasing 0x00000000093d49d0 (new refcount 0).
Deleting unused 0x00000000093d49d0.
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000093d4b90
  subject: O=GNU,OU=Wget,CN=
  issuer:  O=GNU,OU=Wget,CN=GNU Wget
WARNING: cannot verify's certificate, issued by 
‘O=GNU,OU=Wget,CN=GNU Wget’:
  Unable to locally verify the issuer's authority.

---request begin---
GET /File1 HTTP/1.1
User-Agent: Wget/1.18.7-4335 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Connection: Keep-Alive

---request end--- - - [29/Jun/2016 13:15:02] "GET /File1 HTTP/1.1" 200 -
HTTP request sent, awaiting response... 
[Here is spins - killing memcheck process after a while:]
==560== Process terminating with default action of signal 15 (SIGTERM)
==560==    at 0x54D802A: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
==560==    by 0x54DDFB5: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
==560==    by 0x54E7B56: SSL_peek (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
==560==    by 0x4360BC: openssl_peek (openssl.c:420)
==560==    by 0x429BEC: fd_read_hunk (retr.c:513)
==560==    by 0x41D546: read_http_response_head (http.c:575)
==560==    by 0x41D546: gethttp (http.c:3162)
==560==    by 0x42074F: http_loop (http.c:3975)
==560==    by 0x42AB75: retrieve_url (retr.c:817)
==560==    by 0x406C72: main (main.c:1947)

This kind of error could be anything... but OpenSSL should not behave like 
that at all... any ideas ?

Regards, Tim

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]