search

rockdaboot / wget2

The successor of GNU Wget. Contributions preferred at https://gitlab.com/gnuwget/wget2. But accepted here as well 😍
GNU Lesser General Public License v3.0
557 stars 76 forks source link

handshake error : --with-ssl=openssl #243

Closed maravtdm closed 2 years ago

maravtdm commented 3 years ago

Hi,

with ./configure --with-ssl=openssl, I have this issue :

$ wget2 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz 
[0] Downloading 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz' ...
HTTP response 302  [https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz]
Adding URL: https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T222038Z&X-Amz-Expires=300&X-Amz-Signature=9411a9c7bbfd70a75e3f3cea9ca0afa2d728f7a41900d4b3f6ee6c57b9c973a3&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
[.... same message than the 3 previous ones, X times ]
Failed to connect: Handshake error

But, with ./configure --with-openssl, everything is fine :

$ wget2 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz                                                                                             5 ↵
[0] Downloading 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz' ...
HTTP response 302  [https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz]
Adding URL: https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T222422Z&X-Amz-Expires=300&X-Amz-Signature=81bef7012911e41924866e3629e95b66d1f883341d6d7ed9143683c0abbffb3b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream
[0] Downloading 'https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T222422Z&X-Amz-Expires=300&X-Amz-Signature=81bef7012911e41924866e3629e95b66d1f883341d6d7ed9143683c0abbffb3b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream' ...
Saving 'jq-1.6.tar.gz.1'
HTTP response 200  [https://github-releases.githubusercontent.com/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211009%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211009T222422Z&X-Amz-Expires=300&X-Amz-Signature=81bef7012911e41924866e3629e95b66d1f883341d6d7ed9143683c0abbffb3b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream]
rockdaboot commented 3 years ago

--with-openssl explicitly selects the crypto library for checksumming etc. The TLS library to use is auto-selected in this case. While --with-ssl=openssl explicitly selects the TLS library to be OpenSSL.

So depending on which dev libraries you installed, both builds may use a different TLS library (or different versions) - e.g. GnuTLS is preferred over OpenSSL in automatic mode.

It would be interesting to see what you end up with. If you could share the config.log for both cases, I can find out. Please check that it doesn't contain any private data that you don't want to share (e.g. path / user / machine name).

maravtdm commented 3 years ago

Hi, Thanks for your answer

(for privacy, I'm fine with that) Here they are config_with-openssl.log config_with-ssl_openssl.log

Zackptg5 commented 2 years ago

Outcome appears the same for you and it is for me as well. Have some more details on it on my end. Using openssl 3.0.0: In config.h, HAVE_GNU_TLS_OCSP_H is unset as it should be. But openssl has it's own header for it - openssl/ocsp.h which is enabled - HAVE_OPENSSL_OCSP_H and so WITH_OCSP is set.

Despite this, ocsp doesn't work with openssl. I tried setting both ssl=openssl and openssl=yes and got these results

rockdaboot commented 2 years ago

From your log files, ./configure --with-ssl=openssl builds with openssl while ./configure --with-openssl builds with GnuTLS + -lcrypto (from openssl, but libcrypto is not called from code as GnuTLS has all the crypto built in).

So the only question is why OCSP doesn't work with OpenSSL. It does here (Debian unstable, openssl 1.1.1l-1).

So I assume that on your system, openssl is built without OCSP support (or otherwise incorrectly). What openssl versions do you use ? Did you run all the tests when building openssl ? And what doies it say about OCSP ? Did you run make check for wget2 ?

juaristi commented 2 years ago

OCSP response is too old. Ignoring.

This error comes from the fact that the stapled OCSP response is older than 3 days. I don't know why the check fails in OpenSSL and succeeds in GnuTLS, have to look into that. In the meanwhile, could you disable that with --no-ocsp-date? That should disable this particular check.

juaristi commented 2 years ago

I've pushed a fix to GNU's repository on GitLab.

maravtdm commented 2 years ago

Hi,

Curiously, the issue ( --with-openssl) no longer exists ... 

blackstar :: ~ » wget2 -V
GNU Wget2 2.0.0 - multithreaded metalink/file/website downloader

+digest +https +ssl/openssl +ipv6 +iri +large-file +nls -ntlm -opie +psl -hsts
+iconv +idn2 +zlib +lzma +brotlidec +zstd +bzip2 +lzip +http2 +gpgme
blackstar :: ~ » wget2 https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz
[0] Downloading 'https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz' ...
HTTP response 302  [https://github.com/stedolan/jq/releases/download/jq-1.6/jq-1.6.tar.gz]
Adding URL: https://objects.githubusercontent.com/github-production-release-asset-2e65be/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220105T082800Z&X-Amz-Expires=300&X-Amz-Signature=c7d164fc079b38162a8afc8689283ababa7e0e8b376f17f6d2dff27957dc8df3&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream
[0] Downloading 'https://objects.githubusercontent.com/github-production-release-asset-2e65be/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220105T082800Z&X-Amz-Expires=300&X-Amz-Signature=c7d164fc079b38162a8afc8689283ababa7e0e8b376f17f6d2dff27957dc8df3&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream' ...
Saving 'jq-1.6.tar.gz.1'
HTTP response 200  [https://objects.githubusercontent.com/github-production-release-asset-2e65be/5101141/e4612500-eca9-11e8-8306-c58af06c65f5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220105T082800Z&X-Amz-Expires=300&X-Amz-Signature=c7d164fc079b38162a8afc8689283ababa7e0e8b376f17f6d2dff27957dc8df3&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=5101141&response-content-disposition=attachment%3B%20filename%3Djq-1.6.tar.gz&response-content-type=application%2Foctet-stream]