Hi Tim, On Tue, Mar 18, 2014 at 5:31 PM, Tim Rühsen <[email protected]> wrote: > ... > BTW, to reproduce the issue I used a GnuTLS compiled/linked version of Wget: > > $ wget -d --ca-certificate=ca-rsa-cert.pem --private-key=ca-rsa-key-plain.pem > https://example.com:8443 > 2014-03-18 21:48:04 (1.88 GB/s) - Read error at byte 5116 (The TLS connection > was non-properly terminated.).Retrying. > > There seems to be a problem in Wget 1.15 (on Debian SID)... Confirmed on wheezy. I thought it was my OpenSSL server.
> But despite from that, Wget uses the hostname checking facility of the GnuTLS > library (or of OpenSSL library if appropriately compiled). OpenSSL won't have hostname checking until 1.0.2. See the CHANGELOG at https://www.openssl.org/news/changelog.html. (Mentioned in case you thought wget was performing it via OpenSSL). > IHMO, the Public Suffix List (PSL) should not only be used to verify cookies > but > also be used for certificate hostname checking. +1 Jeff
