<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/atwebm">Markus Weber</a> created an issue:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">The Type "Registered ID" with Index Nr. 8 is missing in the GnuTLS-Build of Debian 10.2 (Buster).

<a href="https://www.alvestrand.no/objectid/2.5.29.17.html" rel="nofollow noreferrer noopener" target="_blank">https://www.alvestrand.no/objectid/2.5.29.17.html</a></p>

<p dir="auto">This prevents the Connection of wget to ElasticSearch secured with SearchGuard

<a href="https://docs.search-guard.com/latest/tls-in-production" rel="nofollow noreferrer noopener" target="_blank">https://docs.search-guard.com/latest/tls-in-production</a></p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<h1 dir="auto">

<a id="user-content-apt-search-gnutls-grep-installed" class="anchor" href="#apt-search-gnutls-grep-installed" aria-hidden="true"></a>apt search gnutls | grep installed</h1>

<p dir="auto">libcurl3-gnutls/stable,stable,now 7.64.0-4 amd64 [installed,automatic]

libgnutls30/stable,stable,now 3.6.7-4 amd64 [installed]

libsoup2.4-1/stable,stable,now 2.64.2-2 amd64 [installed,automatic]

python3-pycurl/stable,stable,now 7.43.0.2-0.1 amd64 [installed,automatic]</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Debian 10.2 (buster)</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">wget against a https-Server, which has a Certificate, that uses a custom oid in the "Subject Alternative Name"-Field</p>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<p dir="auto">/usr/lib/nagios/plugins/check_elasticsearch -H server.fqdn -u user -p password -c /etc/ssl/certs/elasticsearch-CA.pem -s -N -V

--2020-01-11 20:16:09--  <a href="https://server:9200/_cluster/health?pretty=true" rel="nofollow noreferrer noopener" target="_blank">https://server:9200/_cluster/health?pretty=true</a>

Loaded CA certificate '/etc/ssl/certs/elasticsearch-CA.pem'

Resolving server.fqdn (server.fqdn)... 1.2.3.4

Connecting to server.fqdn (server.fqdn)|1.2.3.4|:9200... connected.

GnuTLS: Unknown Subject Alternative name in X.509 certificate.

Unable to establish SSL connection.

CRITICAL - Could not connect to server server.fqdn</p>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">From another System with Debian 9.11

/usr/lib/nagios/plugins/check_elasticsearch -H server.fqdn -u user -p password -c /etc/ssl/certs/elasticsearch-CA.pem -s -N -V

--2020-01-11 20:45:37--  <a href="https://server.fqdn:9200/_cluster/health?pretty=true" rel="nofollow noreferrer noopener" target="_blank">https://server.fqdn:9200/_cluster/health?pretty=true</a>

Loaded CA certificate '/etc/ssl/certs/elasticsearch-CA.pem'

Resolving server.fqdn (server.fqdn)... 1.2.3.4

Connecting to de1app3.doitll.com (server.fqdn)|1.2.3.4|:9200... connected.

HTTP request sent, awaiting response... 401 Unauthorized

Authentication selected: Basic realm="Search Guard"

Reusing existing connection to [server.fqdn]:9200.

HTTP request sent, awaiting response... 200 OK

Length: 462 [application/json]

Saving to: ‘/tmp/tmp.dV2lmBXb4g-check_elasticsearch’</p>

<p dir="auto">/tmp/tmp.dV2lmBXb4g-check_elasticsearch                      100%[=============================================================================================================================================>]     462  --.-KB/s    in 0s</p>

<p dir="auto">2020-01-11 20:45:38 (15.4 MB/s) - ‘/tmp/tmp.dV2lmBXb4g-check_elasticsearch’ saved [462/462]</p>

<p dir="auto">OK - elasticsearch (cluster) is running. status: green; timed_out: false; ...</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/905">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/d04c432ee01b84985193e02fe865b770/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/905"}}</script>

</p>

</div>

</body>

</html>