On Samstag, 8. Juli 2017 15:32:44 CEST Ludovic Courtès wrote: > Hello, > > I experienced the test failure reported at > <https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for > ‘testenv/Test--https.py’ and related tests with: > > The certificate's owner does not match hostname > > There’s no problem when wget is built against GnuTLS 3.5.9; the test > failure shows up when wget is built against GnuTLS 3.5.13. > > After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’: > > --8<---------------cut here---------------start------------->8--- > ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP > addresses against DNS fields of certificate (CN or DNSname). The previous > behavior was to tolerate some misconfigured servers, but that was > non-standard and skipped any IP constraints present in higher level > certificates. --8<---------------cut > here---------------end--------------->8--- > > I think the fix is (1) to explicitly regenerate test certificates that > use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a > dnsName of the subject of the certificate”), and (2) to use “localhost” > instead of “127.0.0.1” in test URIs. > > Thoughts?
Thanks again, fixed now by - hard-coding the server domain to 'localhost' - replacing 127.0.0.1 by localhost in several tests - regenerating the server cert and crl files > > Ludo’. Regards, Tim
signature.asc
Description: This is a digitally signed message part.