Bug#686837: serveralias *
there is one workaround. if user has access to server confs, putting "serveralias *" (apache) avoids the bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#686837: i think i found the problem
i think i found the problem problem exist in 1.14 version but not 1.13 http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.14.orig.tar.gz in this source the file "gnutls.c" there is following /* We set the server name but only if it's not an IP address. */ if (! is_valid_ip_address (hostname)) { gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname, strlen (hostname)); } exactly speaking not the certificate issue. however affects only if using dns name (not ip number) and ssl connection. in my knowledge certificate check shouldn't check "servernames" (being different from certificate's hostname) my recommendation is to remove lines above. other solution might be to have some kind of ignore option either part of --no- check-certificate or additional option. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#686837: openssl unaffected
i used this source for test http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.14.orig.tar.gz and tested gnutls, affected with the bug. when compiling openssl then bug doesn't occur. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#686837: slightly more info
my apologies, but i"m concerned of my privacy . this is my spambox address, i don't like to post my web server addresses. and also this information will be publicly available and debian servers forever. in this configuration there are two ports 8001 and 8002. difference is different "servername" directive in apache conf and listening port. certificate is same for both. in port 8001 servername is set to "mycomp". in port 8002 servername is set to "example.tld" matching to the dns name. in my tests gnutls-cli works fine when --insecure was used. i noticed one difference in gnutls connections.. *** Non fatal error: A TLS warning alert has been received. *** Received alert [112]: The server name sent was not recognized what i can figure gnutls doesn't have problem but it seems wget takes this non- fatal error too seriously. it's possible replicate these results using http server, putting ssl on, creating self-sign certificate and switch servername directive to match/dismatch to hostname/dns-name in wget (wget https://localhost). $ wget -d https://example.tld:8001 DEBUG output created by Wget 1.14 on linux-gnu. URI encoding = ?UTF-8? --2012-09-09 12:38:06-- https://example.tld:8001/ Resolving example.tld (example.tld)... 257.257.257.257 Caching example.tld => 257.257.257.257 Connecting to example.tld (example.tld)|257.257.257.257|:8001... connected. Created socket 4. Releasing 0x02df4aa0 (new refcount 1). GnuTLS: A TLS warning alert has been received. Closed fd 4 Unable to establish SSL connection. $ wget --no-check-certificate -d https://example.tld:8001 DEBUG output created by Wget 1.14 on linux-gnu. URI encoding = ?UTF-8? --2012-09-09 13:30:06-- https://example.tld:8001/ Resolving example.tld (example.tld)... 257.257.257.257 Caching example.tld => 257.257.257.257 Connecting to example.tld (example.tld)|257.257.257.257|:8001... connected. Created socket 4. Releasing 0x01b65a60 (new refcount 1). GnuTLS: A TLS warning alert has been received. Closed fd 4 Unable to establish SSL connection. $ gnutls-cli -d 5 example.tld -p 8001 |<2>| p11: loaded provider 'gnome-keyring-module' with 0 slots |<2>| ASSERT: pkcs11.c:459 Processed 152 CA certificate(s). Resolving 'example.tld'... Connecting to '257.257.257.257:8001'... |<4>| REC[0x96fdc0]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:717 |<4>| REC[0x96fdc0]: Allocating epoch #1 |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0. 23) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0. 2B) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384 (C0. 24) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0. 2C) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 (00.66) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) |<3>| HSK[0x96fdc0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) |<3>| HSK[0x96fdc0]: Keeping ciphe