AW: wget - The certificate has not yet been activated (does also happen in qemuarm "virt" machine)

AW: wget - The certificate has not yet been activated (does also happen in qemuarm "virt" machine)

[Matthias Klein]

Hello together,

I can "fix" the bug by switching from gnutls to openssl:

PACKAGECONFIG:remove = "gnutls"
PACKAGECONFIG:append = " openssl"

Can anyone explain this?
What exactly does the change to openssl mean?

Many greetings,
Matthias

Re: [yocto] wget - The certificate has not yet been activated (does also happen in qemuarm "virt" machine)

[Khem Raj]

On Thu, Feb 3, 2022 at 9:14 AM Matthias Klein
<matthias.klein@optimeas.de> wrote:
>
> Hello together,
>
> I can "fix" the bug by switching from gnutls to openssl:
>
> PACKAGECONFIG:remove = "gnutls"
> PACKAGECONFIG:append = " openssl"
>
> Can anyone explain this?
> What exactly does the change to openssl mean?

this means you are choosing openSSL to provide TLS protocol
implementation instead of gnuTLS

>
> Many greetings,
> Matthias
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> You automatically follow any topics you start or reply to.
> View/Reply Online (#56061): https://lists.yoctoproject.org/g/yocto/message/56061
> Mute This Topic: https://lists.yoctoproject.org/mt/88879516/1997914
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

AW: [yocto] wget - The certificate has not yet been activated (does also happen in qemuarm "virt" machine)

[Matthias Klein]

Hello Khem,

> this means you are choosing openSSL to provide TLS protocol implementation instead of gnuTLS

Please excuse that my question was so unspecific.
Does it make a functional difference from which library the TLS support comes from?

Best regards,
Matthias

Re: [yocto] wget - The certificate has not yet been activated (does also happen in qemuarm "virt" machine)

[Khem Raj]

On Thu, Feb 3, 2022 at 11:20 PM Matthias Klein
<matthias.klein@optimeas.de> wrote:
>
> Hello Khem,
>
> > this means you are choosing openSSL to provide TLS protocol implementation instead of gnuTLS
>
> Please excuse that my question was so unspecific.
> Does it make a functional difference from which library the TLS support comes from?

ideally it should not. It really should be that app is using right
port to talk to the one you choose.
>
> Best regards,
> Matthias
>

Re: AW: wget - The certificate has not yet been activated (does also happen in qemuarm "virt" machine)

[Tomasz Moń]

On Thu, 2022-02-03 at 17:13 +0000, Matthias Klein wrote:
> I can "fix" the bug by switching from gnutls to openssl:
> 
> PACKAGECONFIG:remove = "gnutls"
> PACKAGECONFIG:append = " openssl"
> 
> Can anyone explain this?

The issue is that gnutls configure script detects 32-bit time_t while
wget detects 64-bit time_t.

Function ssl_check_certificate() in wget/src/gnutls.c contains:
  time_t now = time (NULL);
  ...
  if (now < gnutls_x509_crt_get_activation_time (cert))
  ...

gnutls_x509_crt_get_activation_time() returns time_t. In wget context
it means that two 64-bit time_t are being compared.

On imx6, when a function returns 32-bit value, the result is stored in
r0. When a function returns 64-bit value, the low 32-bits are stored in
r0 while the high 32-bits are stored in r1.

The problem is that gnutls_x509_crt_get_activation_time() compiled in
gnutls recipe, has 32-bit time_t and thus sets only r0. The likelihood
that r1 will have value that will make code consider the certificate as
active (before 2038 the only such value is 0) is low. As r1 is not 0,
the supposed activation time is way past 2038 and thus "The certificate
has not yet been activated" error is printed.

The solution is to fix gnutls recipe to detect time_t as 64-bit.

> What exactly does the change to openssl mean?

The gnutls_x509_crt_get_activation_time() is no longer used at all.
Instead, SSL_get_verify_result() is used (ssl_check_certificate() in
wget/src/openssl.c). The SSL_get_verify_result() does the check within
OpenSSL library itself, so even if wget and OpenSSL does not agree on
time_t size, it doesn't matter (wget and OpenSSL have to agree on long
size, because SSL_get_verify_result() returns long).

Best Regards,
Tomasz Moń