Re: [Bug-wget] OpenSSL 1.1.0

[Tim Ruehsen]

On Wednesday 29 June 2016 13:22:07 Tim Ruehsen wrote:
> On Wednesday 29 June 2016 00:10:34 Ángel González wrote:
> > On 28/06/16 22:16, Tim Rühsen wrote:
> > > Patching src/openssl.c for 1.1.0 (see below) let it compile.
> > > But the HTTPS tests fail due to
> > > 
> > > ERROR: cannot verify localhost's certificate, issued by
> > > 'O=GNU,OU=Wget,CN=GNU>
> > > 
> > > Wget':
> > >    unsupported certificate purpose
> > > 
> > > Any idea ?
> > 
> > server-cert.pem has the following extensions:
> > Key Usage
> > Usages:    Revocation list signature
> > Critical:    Yes
> > 
> > Extended Key Usage
> > Allowed Purposes:    Server Authentication
> > Critical:    No
> > 
> > 
> > Looks like the second extension isn't supported by OpenSSL 1.1.0, and
> > Server Authentication not being in Key Usage, it is rejected.
> > 
> > Recreate this certificate with no Key Usage at all would probably fix
> > it. I'm not sure about the required steps, though.
> 
> Just pushed a commit with a shell script to automatically generate the files
> in testenv/certs. Built with GnuTLS, wget passes the tests.
> 
> With OpenSSL 1.1.0 (+ my patch + freshly generated certs), wget spins at all
> HTTPS tests, eating up 100% CPU.
> 
> With OpenSSL 1.1.0 (+ my patch + old certs), wget spins only in Test-
> pinnedpubkey-der-no-check-https.py. The other HTTPS tests fail.
> 
> With a little debug output, I verified that SSL_peek() does not return (and
> spins). Here is wget / valgrind output:
> 
> Setting --no-config (noconfig) to 1
> Setting --check-certificate (checkcertificate) to 0
> Setting --pinnedpubkey (pinnedpubkey) to
> /usr/oms/src/wget1.x/testenv/certs/server-pubkey.der
> DEBUG output created by Wget 1.18.7-4335 on linux-gnu.
> 
> Reading HSTS entries from /usr/oms/.wget-hsts
> URI encoding = ‘UTF-8’
> Converted file name 'File1' (UTF-8) -> 'File1' (UTF-8)
> --2016-06-29 13:15:01--  https://127.0.0.1:34755/File1
> Connecting to 127.0.0.1:34755... connected.
> Created socket 3.
> Releasing 0x00000000093d49d0 (new refcount 0).
> Deleting unused 0x00000000093d49d0.
> Initiating SSL handshake.
> Handshake successful; connected socket 3 to SSL handle 0x00000000093d4b90
> certificate:
>   subject: O=GNU,OU=Wget,CN=127.0.0.1
>   issuer:  O=GNU,OU=Wget,CN=GNU Wget
> WARNING: cannot verify 127.0.0.1's certificate, issued by
> ‘O=GNU,OU=Wget,CN=GNU Wget’:
>   Unable to locally verify the issuer's authority.
> 
> ---request begin---
> GET /File1 HTTP/1.1
> User-Agent: Wget/1.18.7-4335 (linux-gnu)
> Accept: */*
> Accept-Encoding: identity
> Host: 127.0.0.1:34755
> Connection: Keep-Alive
> 
> ---request end---
> 127.0.0.1 - - [29/Jun/2016 13:15:02] "GET /File1 HTTP/1.1" 200 -
> HTTP request sent, awaiting response...
> [Here is spins - killing memcheck process after a while:]
> ==560==
> ==560== Process terminating with default action of signal 15 (SIGTERM)
> ==560==    at 0x54D802A: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
> ==560==    by 0x54DDFB5: ??? (in /usr/lib/x86_64-linux-gnu/libssl.so.1.1)
> ==560==    by 0x54E7B56: SSL_peek (in
> /usr/lib/x86_64-linux-gnu/libssl.so.1.1) ==560==    by 0x4360BC:
> openssl_peek (openssl.c:420)
> ==560==    by 0x429BEC: fd_read_hunk (retr.c:513)
> ==560==    by 0x41D546: read_http_response_head (http.c:575)
> ==560==    by 0x41D546: gethttp (http.c:3162)
> ==560==    by 0x42074F: http_loop (http.c:3975)
> ==560==    by 0x42AB75: retrieve_url (retr.c:817)
> ==560==    by 0x406C72: main (main.c:1947)
> ==560==
> 
> This kind of error could be anything... but OpenSSL should not behave like
> that at all... any ideas ?

Just want to say that going back to OpenSSL 1.0.2h-1 (Debian unstable), all 
tests work fine, even with new, auto-generated cert and keys.

Tim

signature.asc
Description: This is a digitally signed message part.