2

Why can't gnutls contact the site in question, even though wget gets the page just fine?

$ gnutls-cli https://site.com/login.php --insecure --print-cert < /dev/null > cert
WARNING: gnome-keyring:: couldn't connect to: /run/user/dotancohen/keyring-Ekufyf/pkcs11: No such file or directory
Cannot resolve https://site.com/login.php:443: Name or service not known
$ wget https://site.com/login.php
--2013-01-23 19:07:57--  https://site.com/login.php
Resolving site.com (site.com)... 72.1.2.3
Connecting to site.com (site.com)|72.1.2.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6581 (6.4K) [text/html]
Saving to: `login.php'

100%[=============================================>] 6,581       --.-K/s   in 0s

2013-01-23 19:07:58 (47.8 MB/s) - `login.php' saved [6581/6581]

$
dotancohen
  • 15,864
  • Is this true for any and all sites or just some? What is the gnutls version (gnutl-cli -v)? – goldilocks Jan 23 '13 at 17:46
  • 2
    gnutls-cli expects a hostname (with -p for the port), not a URL – Stéphane Chazelas Jan 23 '13 at 18:05
  • Thank you Stephane. How does it handle virtual hosts, then, i.e. when multiple sites are hosted on the same server by the same apache instance, on the same IP and port? – dotancohen Jan 23 '13 at 18:24
  • 2
    @dotancohen: 1) You must understand that gnutls-cli is only a TLS (SSL) client – it doesn't care at all about higher-level protocols such as HTTP. 2) However, at TLS level, if you give gnutls-cli a hostname, it sends that hostname to the server, the same way as browsers do – and that's sufficient for the server to pick the right certificate. – u1686_grawity Jan 23 '13 at 19:49
  • @dotancohen: (The protocol extension for this is "Server Name Indication". It's fairly new, however, and many older SSL servers simply put all vhost names into a single certificate, or only host one site per IP address.) – u1686_grawity Jan 23 '13 at 23:40

1 Answers1

2

As Stephane Chazelas noted in their comment, the problem is that you're giving an URL instead of a hostname. gnutls-cli is only a SSL/TLS client and does not know anything about URIs or higher-level protocols such as HTTP; it expects to be given only a hostname (or IP address) to connect to.

u1686_grawity
  • 5,858