Sorry for sending two emails, but unfortunately, I only thought to double-check the https://raw.githubusercontent.com/ testcase after sending my original message.
That test appears to still be both valid (i.e. using a Subject Alternative Name) and working (i.e. wget succeeds). Therefore, it seems to be specific to my certificate. However, neither Firefox nor openssl s_client seem to have any issues with it. This is further supported by my observation that the issue seemed to disappear when compiling wget with OpenSSL instead of GnuTLS (I had tried a few things with the upstream git, but wasn't confident enough in my results to mention it). In fact, trying a few things with gnutls-cli suggests that the issue is specific to the use of an IP address instead of a hostname. $ gnutls-cli 192.168.1.7 [...] - Status: The certificate is NOT trusted. The name in the certificate does not match the expected. $ gnutls-cli host [...] - Status: The certificate is trusted. Thus, my issue appears not to be a bug with wget after all. I apologize for wasting your time. Thanks. -nandhp On 07/04/2014 11:27 PM, nandhp wrote: > Package: wget > Version: 1.15-1+b1 > Severity: normal > > Dear Maintainer, > > It appears that Subject Alternative Names are again failing to be > checked in wget 1.15-1. > > $ openssl s_client -connect 192.168.1.7:443 -showcerts </dev/null | > openssl x509 -text > [...] > Subject: C=US, O=example.com, OU=root, CN=host.example.com > [...] > X509v3 Subject Alternative Name: > DNS:host.example.com, DNS:host.localdomain, DNS:host, IP > Address:192.168.1.7 > [...] > $ wget https://192.168.1.7/ > --2014-07-04 23:15:14-- https://192.168.1.7/ > Connecting to 192.168.1.7:443... connected. > The certificate's owner does not match hostname ‘192.168.1.7’ > $ > > Thanks. > -nandhp > > > -- System Information: > Debian Release: jessie/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages wget depends on: > ii libc6 2.19-4 > ii libgnutls-deb0-28 3.2.15-2 > ii libidn11 1.28-2 > ii libnettle4 2.7.1-2+b1 > ii libuuid1 2.20.1-5.8 > ii zlib1g 1:1.2.8.dfsg-1 > > Versions of packages wget recommends: > ii ca-certificates 20140325 > > wget suggests no packages. > > -- no debconf information > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
