[Bug-wget] [PATCH] Improve handling of SSL/TLS alerts with GnuTLS.

Sun, 05 May 2013 13:41:33 -0700 

Hello.

wget, built against GnuTLS, terminates SSL/TLS handshakes
upon receiving any error alert (including non-fatal ones).

This creates a problem when connecting to servers that support
TLS-SNI and reply with a warning-level unrecognized name alert
(eg. due to misconfiguration).

My patch changes wget's behavior to ignore warning-level alerts
during client/server hello and provides more detailed logging. The
patch's compound conditional is not strictly necessary because
GNUTLS_E_WARNING_ALERT_RECEIVED is non-fatal but a check on the
latter is included as a fail-safe. It applies cleanly to
HEAD@277785fa.

Ignoring non-fatal alerts during handshake is consistent with
Firefox and Chrome behavior.

I set up a server to replicate unrecognized_name alert conditions:

A. Current behavior:

   [warning-level alert]
   $ wget https://localhost
   --2013-05-05 08:18:35--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS warning alert has been received.
   Unable to establish SSL connection.

   [fatal-level alert]
   $ wget https://localhost
   --2013-05-05 08:20:52--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS fatal alert has been received.
   Unable to establish SSL connection.

B. Behavior after patch:

   [warning-level alert]
   $ wget https://localhost
   --2013-05-05 08:01:40--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS warning alert has been received.
   GnuTLS: received alert [112]: The server name sent was not 
recognized
   HTTP request sent, awaiting response... 200 OK
   Length: unspecified [text/html]
   Saving to: 'index.html'

   [fatal-level alert]
   $ wget https://localhost
   --2013-05-05 08:03:27--  https://localhost/
   Resolving localhost (localhost)... 127.0.0.1
   Connecting to localhost (localhost)|127.0.0.1|:443... connected.
   GnuTLS: A TLS fatal alert has been received.
   GnuTLS: received alert [112]: The server name sent was not 
recognized
   Unable to establish SSL connection.

Cheers and thank you for wget!

--mancha

Attachment: 0001-gnutls-do-not-abort-on-non-fatal-alerts-during-hands.patch
Description: Binary data

Reply via email to