Bug 2089817

Summary: wget fails to download files from protected URLs which require client certificates
Product: Red Hat Enterprise Linux 8 Reporter: Oliver Ilian <oliver>
Component: gnutlsAssignee: Daiki Ueno <dueno>
Status: VERIFIED --- QA Contact: Alexander Sosedkin <asosedki>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: cllang, dueno, hkario, jorton, mruprich, mschibli, zfridric
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls-3.6.16-7.el8 Doc Type: Bug Fix
Doc Text:
Cause: session_ticket_renew flag isn't cleared at the end of the handshake Consequence: gnutls waits for NewSessionTicket but fails with "An unexpected TLS packet was received" during rehandshake Fix: Clear session_ticket_renew flag after each handshake Result: Rehandshake can be successfully performed
 Story Points: ---
Clone Of:
: 2136072 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2136072    

Description Oliver Ilian 2022-05-24 13:45:39 UTC 
Description of problem:
wget is failing to download files from a protected URL that requires client certificates
Curl works without issues and wget/curl on RHEL 7 also have no issues

Version-Release number of selected component (if applicable):
RHEL 8
wget-1.19.5-10.el8 

How reproducible:
always

Steps to Reproduce:
1. try to download a file with wget by using a client certificate:
wget --no-proxy --certificate=./customer_client.crt --private-key=./customer_client.key 'https://www.example.com'

Actual results:
error message and file is not downloaded:
*****
HTTP request sent, awaiting response... GnuTLS: An unexpected TLS packet was received.
Read error (Success.) in headers.
Retrying.


Expected results:
the file should be downloaded


Additional info:
The following stanza is used on the server.

   <Location ~ "/(info|sbf-exp|ex-file|vmware_to_alloc)">
        SSLVerifyClient require
        SSLVerifyDepth 5
    </Location>


verbose wget output:

wget --verbose --no-proxy --certificate=./customer_client.crt --private-key=./customer_client.key 'https://www.example.com'
--2022-05-24 10:17:11--  https://www.example.com
Resolving www.example.com (www.example.com)... 127.0.0.1
Connecting to www.example.com (www.example.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Read error (Success.) in headers.
Retrying.

--2022-05-24 10:17:13--  (try: 2)  https://www.example.com
Connecting to www.example.com (www.example.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Read error (Success.) in headers.
Retrying.

--2022-05-24 10:17:15--  (try: 3)  https://www.example.com
Connecting to www.example.com (www.example.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Read error (Success.) in headers.
Retrying.