Re: [Bug-wget] Overly permissive hostname matching

[Jeffrey Walton]

Hi Tim,

On Tue, Mar 18, 2014 at 5:31 PM, Tim Rühsen <address@hidden> wrote:
> ...
> BTW, to reproduce the issue I used a GnuTLS compiled/linked version of Wget:
>
> $ wget -d --ca-certificate=ca-rsa-cert.pem --private-key=ca-rsa-key-plain.pem
> https://example.com:8443
> 2014-03-18 21:48:04 (1.88 GB/s) - Read error at byte 5116 (The TLS connection
> was non-properly terminated.).Retrying.
>
> There seems to be a problem in Wget 1.15 (on Debian SID)...
Confirmed on wheezy. I thought it was my OpenSSL server.

> But despite from that, Wget uses the hostname checking facility of the GnuTLS
> library (or of OpenSSL library if appropriately compiled).
OpenSSL won't have hostname checking until 1.0.2. See the CHANGELOG at
https://www.openssl.org/news/changelog.html.

(Mentioned in case you thought wget was performing it via OpenSSL).

> IHMO, the Public Suffix List (PSL) should not only be used to verify cookies 
> but
> also be used for certificate hostname checking.
+1

Jeff