bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] Test certificate host name verification fails with GnuTLS 3.5


From: Ludovic Courtès
Subject: [Bug-wget] Test certificate host name verification fails with GnuTLS 3.5.12+
Date: Sat, 08 Jul 2017 15:32:44 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Hello,

I experienced the test failure reported at
<https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for
‘testenv/Test--https.py’ and related tests with:

  The certificate's owner does not match hostname

There’s no problem when wget is built against GnuTLS 3.5.9; the test
failure shows up when wget is built against GnuTLS 3.5.13.

After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’:

--8<---------------cut here---------------start------------->8---
** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
   against DNS fields of certificate (CN or DNSname). The previous behavior
   was to tolerate some misconfigured servers, but that was non-standard
   and skipped any IP constraints present in higher level certificates.
--8<---------------cut here---------------end--------------->8---

I think the fix is (1) to explicitly regenerate test certificates that
use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a
dnsName of the subject of the certificate”), and (2) to use “localhost”
instead of “127.0.0.1” in test URIs.

Thoughts?

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]