Bug 2089817 - wget fails to download files from protected URLs which require client certificates
Summary: wget fails to download files from protected URLs which require client certifi...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: gnutls
Version: 8.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Alexander Sosedkin
URL:
Whiteboard:
Depends On:
Blocks: 2136072
TreeView+ depends on / blocked
 
Reported: 2022-05-24 13:45 UTC by Oliver Ilian
Modified: 2023-06-27 17:49 UTC (History)
7 users (show)

Fixed In Version: gnutls-3.6.16-7.el8
Doc Type: Bug Fix
Doc Text:
Cause: session_ticket_renew flag isn't cleared at the end of the handshake Consequence: gnutls waits for NewSessionTicket but fails with "An unexpected TLS packet was received" during rehandshake Fix: Clear session_ticket_renew flag after each handshake Result: Rehandshake can be successfully performed
Clone Of:
: 2136072 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-8159 0 None None None 2022-08-29 02:38:44 UTC
Red Hat Issue Tracker CRYPTO-8197 0 None None None 2022-08-31 10:44:17 UTC
Red Hat Issue Tracker RHELPLAN-123191 0 None None None 2022-05-24 13:55:44 UTC

Description Oliver Ilian 2022-05-24 13:45:39 UTC 
Description of problem:
wget is failing to download files from a protected URL that requires client certificates
Curl works without issues and wget/curl on RHEL 7 also have no issues

Version-Release number of selected component (if applicable):
RHEL 8
wget-1.19.5-10.el8 

How reproducible:
always

Steps to Reproduce:
1. try to download a file with wget by using a client certificate:
wget --no-proxy --certificate=./customer_client.crt --private-key=./customer_client.key 'https://www.example.com'

Actual results:
error message and file is not downloaded:
*****
HTTP request sent, awaiting response... GnuTLS: An unexpected TLS packet was received.
Read error (Success.) in headers.
Retrying.


Expected results:
the file should be downloaded


Additional info:
The following stanza is used on the server.

   <Location ~ "/(info|sbf-exp|ex-file|vmware_to_alloc)">
        SSLVerifyClient require
        SSLVerifyDepth 5
    </Location>


verbose wget output:

wget --verbose --no-proxy --certificate=./customer_client.crt --private-key=./customer_client.key 'https://www.example.com'
--2022-05-24 10:17:11--  https://www.example.com
Resolving www.example.com (www.example.com)... 127.0.0.1
Connecting to www.example.com (www.example.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Read error (Success.) in headers.
Retrying.

--2022-05-24 10:17:13--  (try: 2)  https://www.example.com
Connecting to www.example.com (www.example.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Read error (Success.) in headers.
Retrying.

--2022-05-24 10:17:15--  (try: 3)  https://www.example.com
Connecting to www.example.com (www.example.com)|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Read error (Success.) in headers.
Retrying.
Note You need to log in before you can comment on or make changes to this bug.