On Wednesday 29 June 2016 13:22:07 Tim Ruehsen wrote: > On Wednesday 29 June 2016 00:10:34 Ángel González wrote: > > On 28/06/16 22:16, Tim Rühsen wrote: > > > Patching src/openssl.c for 1.1.0 (see below) let it compile. > > > But the HTTPS tests fail due to > > > > > > ERROR: cannot verify localhost's certificate, issued by > > > 'O=GNU,OU=Wget,CN=GNU> > > > > > > Wget': > > > unsupported certificate purpose > > > > > > Any idea ? > > > > server-cert.pem has the following extensions: > > Key Usage > > Usages: Revocation list signature > > Critical: Yes > > > > Extended Key Usage > > Allowed Purposes: Server Authentication > > Critical: No > > > > > > Looks like the second extension isn't supported by OpenSSL 1.1.0, and > > Server Authentication not being in Key Usage, it is rejected. > > > > Recreate this certificate with no Key Usage at all would probably fix > > it. I'm not sure about the required steps, though. > > Just pushed a commit with a shell script to automatically generate the files > in testenv/certs. Built with GnuTLS, wget passes the tests. > > With OpenSSL 1.1.0 (+ my patch + freshly generated certs), wget spins at all > HTTPS tests, eating up 100% CPU. > > With OpenSSL 1.1.0 (+ my patch + old certs), wget spins only in Test- > pinnedpubkey-der-no-check-https.py. The other HTTPS tests fail. > > With a little debug output, I verified that SSL_peek() does not return (and > spins). Here is wget / valgrind output: > > Setting --no-config (noconfig) to 1 > Setting --check-certificate (checkcertificate) to 0 > Setting --pinnedpubkey (pinnedpubkey) to > /usr/oms/src/wget1.x/testenv/certs/server-pubkey.der > DEBUG output created by Wget 1.18.7-4335 on linux-gnu. > > Reading HSTS entries from /usr/oms/.wget-hsts > URI encoding = ‘UTF-8’ > Converted file name 'File1' (UTF-8) -> 'File1' (UTF-8) > --2016-06-29 13:15:01-- https://127.0.0.1:34755/File1 > Connecting to 127.0.0.1:34755... connected. > Created socket 3. > Releasing 0x00000000093d49d0 (new refcount 0). > Deleting unused 0x00000000093d49d0. > Initiating SSL handshake. > Handshake successful; connected socket 3 to SSL handle 0x00000000093d4b90 > certificate: > subject: O=GNU,OU=Wget,CN=127.0.0.1 > issuer: O=GNU,OU=Wget,CN=GNU Wget > WARNING: cannot verify 127.0.0.1's certificate, issued by > ‘O=GNU,OU=Wget,CN=GNU Wget’: > Unable to locally verify the issuer's authority. > > ---request begin--- > GET /File1 HTTP/1.1 > User-Agent: Wget/1.18.7-4335 (linux-gnu) > Accept: */* > Accept-Encoding: identity > Host: 127.0.0.1:34755 > Connection: Keep-Alive > > ---request end--- > 127.0.0.1 - - [29/Jun/2016 13:15:02] "GET /File1 HTTP/1.1" 200 - > HTTP request sent, awaiting response... > [Here is spins - killing memcheck process after a while:] > ==560== > ==560== Process terminating with default action of signal 15 (SIGTERM) > ==560== at 0x54D802A: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1) > ==560== by 0x54DDFB5: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1) > ==560== by 0x54E7B56: SSL_peek (in > /usr/lib/x86_64-linux-gnu/libssl.so.1.1) ==560== by 0x4360BC: > openssl_peek (openssl.c:420) > ==560== by 0x429BEC: fd_read_hunk (retr.c:513) > ==560== by 0x41D546: read_http_response_head (http.c:575) > ==560== by 0x41D546: gethttp (http.c:3162) > ==560== by 0x42074F: http_loop (http.c:3975) > ==560== by 0x42AB75: retrieve_url (retr.c:817) > ==560== by 0x406C72: main (main.c:1947) > ==560== > > This kind of error could be anything... but OpenSSL should not behave like > that at all... any ideas ?
Just want to say that going back to OpenSSL 1.0.2h-1 (Debian unstable), all tests work fine, even with new, auto-generated cert and keys. Tim
signature.asc
Description: This is a digitally signed message part.
