Re: [Bug-wget] I am seeing problems with wget-1.14.96-38327 doing gnutls secure sessions.

Mon, 04 Nov 2013 12:25:45 -0800 

Hi Sci-Fi @ hush.ai, found a prob on your XPI (nice rhyme !)

You problem is reproducable here by using
        -e timeout=20 -e check-certificate=off 

A workaround is 
        -e timeout=0

It must be some sort of regression, as you say.
I have no time to dig, but maybe my observation might help someone to find it.


> Certificates loaded: -1250
? Holy sheepshit, what is this ?
GNUTLS_E_UNIMPLEMENTED_FEATURE returned by 
gnutls_certificate_set_x509_system_trust().

Fixed in attached patch.

Tim


Am Montag, 4. November 2013, 16:36:56 schrieb SciFi:
> Hi,
> 
> (I am still here, still running OSX 10.6.8
>  with all security updates etc.)
> 
> I've compiled the 1.14.96-38327 tarball here.
> 
> With it, I'm suddenly getting retries when I need to
> fetch something with https
> (while regular http seems ok)
> no matter what server I need to pull from.
> 
> I also updated gnutls to 3.2.6
> and nettle to 2.7
> just in case
> but no help in this regard.
> 
> For example, here's a wget of
> the nightly Enigmail build
> 
> in debug mode:
> > $ wget -d 
> > https://www.enigmail.net/download/nightly/enigmail-nightly-all.xpi DEBUG
> > output created by Wget 1.14.96-38327 on darwin10.8.0.
> > 
> > URI encoding = ‘UTF-8’
> > --2013-11-04 10:06:45-- 
> > https://www.enigmail.net/download/nightly/enigmail-nightly-all.xpi
> > Certificates loaded: -1250
> > Resolving www.enigmail.net (www.enigmail.net)... 217.26.54.154
> > Caching www.enigmail.net => 217.26.54.154
> > Connecting to www.enigmail.net (www.enigmail.net)|217.26.54.154|:443...
> > connected. Created socket 4.
> > Releasing 0x01091670 (new refcount 1).
> > WARNING: No certificate presented by www.enigmail.net.
> > 
> > ---request begin---
> > GET /download/nightly/enigmail-nightly-all.xpi HTTP/1.1
> > User-Agent: Wget/1.14.96-38327 (darwin10.8.0)
> > Accept: */*
> > Host: www.enigmail.net
> > Connection: Keep-Alive
> > 
> > ---request end---
> > HTTP request sent, awaiting response... Read error (Success.) in headers.
> > Retrying.
> > 
> > --2013-11-04 10:06:47--  (try: 2) 
> > https://www.enigmail.net/download/nightly/enigmail-nightly-all.xpi Found
> > www.enigmail.net in host_name_addresses_map (0x1091670)
> > Connecting to www.enigmail.net (www.enigmail.net)|217.26.54.154|:443...
> > connected. Created socket 4.
> > Releasing 0x01091670 (new refcount 1).
> > WARNING: No certificate presented by www.enigmail.net.
> > 
> > ---request begin---
> > GET /download/nightly/enigmail-nightly-all.xpi HTTP/1.1
> > User-Agent: Wget/1.14.96-38327 (darwin10.8.0)
> > Accept: */*
> > Host: www.enigmail.net
> > Connection: Keep-Alive
> > 
> > ---request end---
> > HTTP request sent, awaiting response... Read error (Success.) in headers.
> > Retrying.
> > 
> > --2013-11-04 10:06:49--  (try: 3) 
> > https://www.enigmail.net/download/nightly/enigmail-nightly-all.xpi Found
> > www.enigmail.net in host_name_addresses_map (0x1091670)
> > Connecting to www.enigmail.net (www.enigmail.net)|217.26.54.154|:443...
> > connected. Created socket 4.
> > Releasing 0x01091670 (new refcount 1).
> > WARNING: No certificate presented by www.enigmail.net.
> > 
> > ---request begin---
> > GET /download/nightly/enigmail-nightly-all.xpi HTTP/1.1
> > User-Agent: Wget/1.14.96-38327 (darwin10.8.0)
> > Accept: */*
> > Host: www.enigmail.net
> > Connection: Keep-Alive
> > 
> > ---request end---
> > HTTP request sent, awaiting response... Read error (Success.) in headers.
> > Retrying.
> > 
> > ^C
> 
> I can fetch this file ok
> with 1.14.96-38327
> if I use plain http.  ;)
> 
> 
> I saved the current stable 1.14 build of wget
> and it fetches from https ok.
> So this might be a regression of some sort.
> 
> My ~/.wgetrc (for all wget versions/sessions shown here):
> > $ cat ~/.wgetrc
> > tries = 0
> > continue = on
> > timestamping = on
> > timeout = 20
> > waitretry = 5
> > random_wait = on
> > #inet4_only = on
> > #prefer_family = IPv4
> > retry_connrefused = on
> > check-certificate = off
> > trust-server-names = on
> > #content-on-error = on
> > auth-no-challenge = on
> > ca-certificate = /usr/local/share/wget/cacert.pem
> > robots = off
> > #load-cookies = /Users/scifi/Library/Application
> > Support/Camino/cookies.txt
> 
> My compile parms:
> > $ wget --version
> > GNU Wget 1.14.96-38327 built on darwin10.8.0.
> > 
> > +digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/gnutls
> > 
> > Wgetrc:
> >     /Users/scifi/.wgetrc (user)
> >     /usr/local/etc/wgetrc (system)
> > 
> > Locale:
> >     /usr/local/share/locale
> > 
> > Compile:
> >     gcc-4.2 -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
> >     -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
> >     -I/usr/local/ssl/include -I/usr/X11/include -I/usr/local/include
> >     -I/WhichXcode/Headers/FlatCarbon -I/usr/include
> >     -I/usr/local/include -Os -mtune=core2 -march=core2
> >     -force_cpusubtype_ALL -arch i386
> > 
> > Link:
> >     gcc-4.2 -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch
> >     i386 -Os -mtune=core2 -march=core2 -force_cpusubtype_ALL -arch i386
> >     -L/usr/local/lib -L/usr/local/lib -liconv -L/usr/local/lib -lintl
> >     -Wl,-framework -Wl,CoreFoundation -lnettle -L/usr/local/lib
> >     -lgnutls -L/usr/local/ssl/lib -L/usr/local/lib/libquicktime
> >     -L/usr/X11/lib -lnettle -lhogweed -lgmp /usr/lib/libz.dylib
> >     -lp11-kit -lintl /usr/lib/libpthread.dylib -lz -L/usr/local/ssl/lib
> >     -L/usr/local/lib/libquicktime -L/usr/local/lib -L/usr/X11/lib
> >     -L/usr/lib -lidn -lpcre ftp-opie.o gnutls.o http-ntlm.o
> >     ../lib/libgnu.a
> > 
> > Copyright (C) 2011 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later
> > <http://www.gnu.org/licenses/gpl.html>.
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> > 
> > Originally written by Hrvoje Niksic <[email protected]>.
> > Please send bug reports and questions to <[email protected]>.
> 
> Of course I would much-rather use Secure mode
> rather than open-clear mode
> if for no other reason than to
> tell TPTB to stop spying on everyone.
> If ya git my gist.
> ;)
> 
> 
> FWIW, thanks for keeping this project alive.
>From 60ee1abcad86dbeb542688d46983512b59ab2c85 Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <[email protected]>
Date: Mon, 4 Nov 2013 21:22:41 +0100
Subject: [PATCH] fix number of certificates in debug msg

---
 src/ChangeLog | 4 ++++
 src/gnutls.c  | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 42ce3e4..2c87ee8 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2013-11-04  Tim Ruehsen  <[email protected]>
+
+	* gnutls.c (ssl_init): fix number of certificates in debug msg
+
 2013-11-02  Giuseppe Scrivano  <[email protected]>
 
 	* http.c (gethttp): Increase max header value length to 512.
diff --git a/src/gnutls.c b/src/gnutls.c
index 9b4b1ec..715aadb 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -104,6 +104,8 @@ ssl_init (void)
    * Also use old behaviour if the CA directory is user-provided.  */
   if (ncerts <= 0)
     {
+      ncerts = 0;
+
       ca_directory = opt.ca_directory ? opt.ca_directory : "/etc/ssl/certs";
       if ((dir = opendir (ca_directory)) == NULL)
         {
@@ -118,8 +120,6 @@ ssl_init (void)
           size_t dirlen = strlen(ca_directory);
           int rc;
 
-          ncerts = 0;
-
           while ((dent = readdir (dir)) != NULL)
             {
               struct stat st;
-- 
1.8.4.2

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to