On Wednesday 29 June 2016 00:10:34 Ángel González wrote: > On 28/06/16 22:16, Tim Rühsen wrote: > > Patching src/openssl.c for 1.1.0 (see below) let it compile. > > But the HTTPS tests fail due to > > > > ERROR: cannot verify localhost's certificate, issued by > > 'O=GNU,OU=Wget,CN=GNU> > > Wget': > > unsupported certificate purpose > > > > Any idea ? > > server-cert.pem has the following extensions: > Key Usage > Usages: Revocation list signature > Critical: Yes > > Extended Key Usage > Allowed Purposes: Server Authentication > Critical: No > > > Looks like the second extension isn't supported by OpenSSL 1.1.0, and > Server Authentication not being in Key Usage, it is rejected. > > Recreate this certificate with no Key Usage at all would probably fix > it. I'm not sure about the required steps, though.
Just pushed a commit with a shell script to automatically generate the files in testenv/certs. Built with GnuTLS, wget passes the tests. With OpenSSL 1.1.0 (+ my patch + freshly generated certs), wget spins at all HTTPS tests, eating up 100% CPU. With OpenSSL 1.1.0 (+ my patch + old certs), wget spins only in Test- pinnedpubkey-der-no-check-https.py. The other HTTPS tests fail. With a little debug output, I verified that SSL_peek() does not return (and spins). Here is wget / valgrind output: Setting --no-config (noconfig) to 1 Setting --check-certificate (checkcertificate) to 0 Setting --pinnedpubkey (pinnedpubkey) to /usr/oms/src/wget1.x/testenv/certs/server-pubkey.der DEBUG output created by Wget 1.18.7-4335 on linux-gnu. Reading HSTS entries from /usr/oms/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'File1' (UTF-8) -> 'File1' (UTF-8) --2016-06-29 13:15:01-- https://127.0.0.1:34755/File1 Connecting to 127.0.0.1:34755... connected. Created socket 3. Releasing 0x00000000093d49d0 (new refcount 0). Deleting unused 0x00000000093d49d0. Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x00000000093d4b90 certificate: subject: O=GNU,OU=Wget,CN=127.0.0.1 issuer: O=GNU,OU=Wget,CN=GNU Wget WARNING: cannot verify 127.0.0.1's certificate, issued by ‘O=GNU,OU=Wget,CN=GNU Wget’: Unable to locally verify the issuer's authority. ---request begin--- GET /File1 HTTP/1.1 User-Agent: Wget/1.18.7-4335 (linux-gnu) Accept: */* Accept-Encoding: identity Host: 127.0.0.1:34755 Connection: Keep-Alive ---request end--- 127.0.0.1 - - [29/Jun/2016 13:15:02] "GET /File1 HTTP/1.1" 200 - HTTP request sent, awaiting response... [Here is spins - killing memcheck process after a while:] ==560== ==560== Process terminating with default action of signal 15 (SIGTERM) ==560== at 0x54D802A: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1) ==560== by 0x54DDFB5: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1) ==560== by 0x54E7B56: SSL_peek (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1) ==560== by 0x4360BC: openssl_peek (openssl.c:420) ==560== by 0x429BEC: fd_read_hunk (retr.c:513) ==560== by 0x41D546: read_http_response_head (http.c:575) ==560== by 0x41D546: gethttp (http.c:3162) ==560== by 0x42074F: http_loop (http.c:3975) ==560== by 0x42AB75: retrieve_url (retr.c:817) ==560== by 0x406C72: main (main.c:1947) ==560== This kind of error could be anything... but OpenSSL should not behave like that at all... any ideas ? Regards, Tim
signature.asc
Description: This is a digitally signed message part.