[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Test certificate host name verification fails with GnuTLS

From: Ludovic Courtès
Subject: Re: [Bug-wget] Test certificate host name verification fails with GnuTLS 3.5.12+
Date: Sun, 09 Jul 2017 21:26:04 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Hi Tim,

Tim Rühsen <address@hidden> skribis:

> On Samstag, 8. Juli 2017 15:32:44 CEST Ludovic Courtès wrote:
>> Hello,
>> I experienced the test failure reported at
>> <https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for
>> ‘testenv/Test--https.py’ and related tests with:
>>   The certificate's owner does not match hostname
>> There’s no problem when wget is built against GnuTLS 3.5.9; the test
>> failure shows up when wget is built against GnuTLS 3.5.13.
>> After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’:
>> --8<---------------cut here---------------start------------->8---
>> ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP
>> addresses against DNS fields of certificate (CN or DNSname). The previous
>> behavior was to tolerate some misconfigured servers, but that was
>> non-standard and skipped any IP constraints present in higher level
>> certificates. --8<---------------cut
>> here---------------end--------------->8---
>> I think the fix is (1) to explicitly regenerate test certificates that
>> use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a
>> dnsName of the subject of the certificate”), and (2) to use “localhost”
>> instead of “” in test URIs.
>> Thoughts?
> Thanks again, fixed now by
> - hard-coding the server domain to 'localhost'
> - replacing by localhost in several tests
> - regenerating the server cert and crl files

Awesome, thanks for the quick reply!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]