[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] Test certificate host name verification fails with GnuTLS 3.5
|
From: |
Ludovic Courtès |
|
Subject: |
[Bug-wget] Test certificate host name verification fails with GnuTLS 3.5.12+ |
|
Date: |
Sat, 08 Jul 2017 15:32:44 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Hello,
I experienced the test failure reported at
<https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for
‘testenv/Test--https.py’ and related tests with:
The certificate's owner does not match hostname
There’s no problem when wget is built against GnuTLS 3.5.9; the test
failure shows up when wget is built against GnuTLS 3.5.13.
After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’:
--8<---------------cut here---------------start------------->8---
** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP addresses
against DNS fields of certificate (CN or DNSname). The previous behavior
was to tolerate some misconfigured servers, but that was non-standard
and skipped any IP constraints present in higher level certificates.
--8<---------------cut here---------------end--------------->8---
I think the fix is (1) to explicitly regenerate test certificates that
use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a
dnsName of the subject of the certificate”), and (2) to use “localhost”
instead of “127.0.0.1” in test URIs.
Thoughts?
Ludo’.
- [Bug-wget] Test certificate host name verification fails with GnuTLS 3.5.12+,
Ludovic Courtès <=