Bug#686837: serveralias *

2013-03-08 Thread matias smith 
there is one workaround.

if user has access to server confs, putting "serveralias *" (apache) avoids the 
bug.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#686837: i think i found the problem

2013-02-18 Thread matias smith 
i think i found the problem

problem exist in 1.14 version but not 1.13
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.14.orig.tar.gz
in this source the file "gnutls.c"
there is following

  /* We set the server name but only if it's not an IP address. */
  if (! is_valid_ip_address (hostname))
{
  gnutls_server_name_set (session, GNUTLS_NAME_DNS, hostname,
  strlen (hostname));
}

exactly speaking not the certificate issue. however affects only if using dns 
name (not ip number) and ssl connection.
in my knowledge certificate check shouldn't check "servernames" (being 
different from certificate's hostname) 

my recommendation is to remove lines above.
other solution might be to have some kind of ignore option either part of --no-
check-certificate or additional option.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#686837: openssl unaffected

2013-02-18 Thread matias smith 

i used this source for test
http://ftp.de.debian.org/debian/pool/main/w/wget/wget_1.14.orig.tar.gz
and tested gnutls, affected with the bug.

when compiling openssl then bug doesn't occur.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#686837: slightly more info

2012-09-09 Thread matias smith 

my apologies, but i"m concerned of my privacy
.
this is my spambox address, i don't like to post my web server addresses.
and also this information will be publicly available and debian servers 
forever.


in this configuration there are two ports 8001 and 8002. difference is 
different "servername" directive in apache conf and listening port. certificate 
is same for both.
in port 8001 servername is set to "mycomp". 
in port 8002 servername is set to "example.tld" matching to the dns name.


in my tests gnutls-cli works fine when --insecure was used.

i noticed one difference in gnutls connections..
*** Non fatal error: A TLS warning alert has been received.
*** Received alert [112]: The server name sent was not recognized

what i can figure gnutls doesn't have problem but it seems wget takes this non-
fatal error too seriously.

it's possible replicate these results using http server, putting ssl on, 
creating self-sign certificate and switch servername directive to 
match/dismatch to hostname/dns-name in wget (wget https://localhost). 


$ wget -d https://example.tld:8001
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = ?UTF-8?
--2012-09-09 12:38:06--  https://example.tld:8001/
Resolving example.tld (example.tld)... 257.257.257.257
Caching example.tld => 257.257.257.257
Connecting to example.tld (example.tld)|257.257.257.257|:8001... connected.
Created socket 4.
Releasing 0x02df4aa0 (new refcount 1).
GnuTLS: A TLS warning alert has been received.
Closed fd 4
Unable to establish SSL connection.

$ wget --no-check-certificate -d https://example.tld:8001
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = ?UTF-8?
--2012-09-09 13:30:06--  https://example.tld:8001/
Resolving example.tld (example.tld)... 257.257.257.257
Caching example.tld => 257.257.257.257
Connecting to example.tld (example.tld)|257.257.257.257|:8001... connected.
Created socket 4.
Releasing 0x01b65a60 (new refcount 1).
GnuTLS: A TLS warning alert has been received.
Closed fd 4
Unable to establish SSL connection.

$ gnutls-cli -d 5 example.tld -p 8001
|<2>| p11: loaded provider 'gnome-keyring-module' with 0 slots
|<2>| ASSERT: pkcs11.c:459
Processed 152 CA certificate(s).
Resolving 'example.tld'...
Connecting to '257.257.257.257:8001'...
|<4>| REC[0x96fdc0]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:717
|<4>| REC[0x96fdc0]: Allocating epoch #1
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.
23)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.
2B)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.
24)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.
2C)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 (00.32)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 (00.40)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 (00.44)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 (00.38)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 (00.6A)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 (00.87)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 (00.13)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 (00.66)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C)
|<3>| HSK[0x96fdc0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<3>| HSK[0x96fdc0]: Keeping ciphe