Package: wget Version: 1.13.4-1 Severity: normal Dear Maintainer,
wget fails to connect to https://patchwork.sugarlabs.org/, claiming the certificate is untrusted: (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ wget -d -O - https://patchwork.sugarlabs.org/patch/1084/mbox/ Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2011-12-17 16:34:47-- https://patchwork.sugarlabs.org/patch/1084/mbox/ Resolving patchwork.sugarlabs.org (patchwork.sugarlabs.org)... 140.186.70.53, 2002:8cba:4635::1 Caching patchwork.sugarlabs.org => 140.186.70.53 2002:8cba:4635::1 Connecting to patchwork.sugarlabs.org (patchwork.sugarlabs.org)|140.186.70.53|:443... connected. Created socket 5. Releasing 0x0000000001603d20 (new refcount 1). ERROR: The certificate of `patchwork.sugarlabs.org' is not trusted. (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ The OpenSSL command-line tool s_client can connect quite fine to the same server, however: (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ openssl s_client -CApath /etc/ssl/certs -connect patchwork.sugarlabs.org:443 CONNECTED(00000003) depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = supp...@cacert.org verify return:1 depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root verify return:1 depth=0 CN = *.sugarlabs.org verify return:1 --- Certificate chain 0 s:/CN=*.sugarlabs.org i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org --- Server certificate -----BEGIN CERTIFICATE----- MIIELDCCAhSgAwIBAgIDAMm1MA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTEwMzIwMjE1NDE1WhcNMTMwMzE5 MjE1NDE1WjAaMRgwFgYDVQQDFA8qLnN1Z2FybGFicy5vcmcwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBANa99DRfcDjNLHciJHxk7dSNjK0LZbh1yXziTu8BoTSr Jvec3Hw6g5SZW8lNnQiqW7o+/mQs8UXvKlnfpljFhJEk6JVySlRm9bn0tE9yNtUy HSYB6FmI9mhCiqqxZ8fduoh5LQAumKect/umCCIycddvZwpy+yjSbRqfGRDRzSMZ AgMBAAGjgcQwgcEwDAYDVR0TAQH/BAIwADA0BgNVHSUELTArBggrBgEFBQcDAgYI KwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoDAzALBgNVHQ8EBAMCBaAwMwYI KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3Jn LzA5BgNVHREEMjAwgg8qLnN1Z2FybGFicy5vcmegHQYIKwYBBQUHCAWgEQwPKi5z dWdhcmxhYnMub3JnMA0GCSqGSIb3DQEBBQUAA4ICAQA+SUhvpG1TYS9KOZMJVhW3 vNVWwv3eW5aG66o4D66h1nsrMc98UWYmE5OBwHZd6m2lNbKVp9LvJFMqWZky5jg7 9dRbOdtkvdvvkhPPJwXTEmj1pLaEtFssue24gXvC4aWvv1O94uvzoEV7vGUa3lMT NZxD631FmuttpBrElzpbDj5AVPKpvcsyytxWIavsjc8RK+1HIZW5WHwoYK0a6Xvb tc5YtZYft1iCesund2eHtSaJ8Gp3XPfUe9m86L948w7BswNcSy7jdNf7S8yV2Gd/ OJtxXDzZVzvkpglMKAcaecZbvw5sYJ/A371Wu9X/6UrNwpUbN8/e08NRP8NaeAxb nOg+iqNs4wuxI5ae4Sfjy1vDVtoEgwW0PhaMHaEVlsoT5TejViy9KNqW3snli6I8 5luHfEY4sDtV/DYsyxrgVo/2YP69LJ6Y+01CxB9xNKo9IfzkX5cP7ZGk12DcHQK7 Rutte4u+YNQMLoeWxkGbQ6nvfTn6VeO0vWts0fo/Ey6k5B2IsODF8mqOSli3QXMi b9tqzSFZddUeQ+Uiqo2m3jxA4pmE8s+jtSFMLwCJbh+PkfqmKhJcOo51zBwnzOjD k6PB44UhpXpAHEeUm8vMEVM7ImDt6dqzK/dV0cQFRURoF/H0cWm7U9woUNUC9Wgs NFuwOnC8IQuculcFvXqv1A== -----END CERTIFICATE----- subject=/CN=*.sugarlabs.org issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root --- No client certificate CA names sent --- SSL handshake has read 3226 bytes and written 369 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: 60D5304D64255F9F398C623BCCBB94D29ACB536C0C39EC9DBBCA77B64693E63E Session-ID-ctx: Master-Key: A358E6D5DF040C3D36017368C5B06C969760F40C8A0421E5F5CA88E86B06E04D2A081A4DC6FA00B00BE476CDC2124FA9 Key-Arg : None PSK identity: None PSK identity hint: None Compression: 1 (zlib compression) Start Time: 1324135451 Timeout : 7200 (sec) Verify return code: 0 (ok) --- Explicitly setting the directory for the CA certificates (like s_client needs) doesn't help either: (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ wget -d --ca-directory=/etc/ssl/certs -O - https://patchwork.sugarlabs.org/patch/1084/mbox/ Setting --ca-directory (cadirectory) to /etc/ssl/certs Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2011-12-17 16:32:56-- https://patchwork.sugarlabs.org/patch/1084/mbox/ Resolving patchwork.sugarlabs.org (patchwork.sugarlabs.org)... 140.186.70.53, 2002:8cba:4635::1 Caching patchwork.sugarlabs.org => 140.186.70.53 2002:8cba:4635::1 Connecting to patchwork.sugarlabs.org (patchwork.sugarlabs.org)|140.186.70.53|:443... connected. Created socket 5. Releasing 0x000000000161dd40 (new refcount 1). ERROR: The certificate of `patchwork.sugarlabs.org' is not trusted. (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ Using --no-check-certificate works around the problem (but obviously introduces a security issue): (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ wget -d --no-check-certificate -O - https://patchwork.sugarlabs.org/patch/1084/mbox/ |wc Setting --check-certificate (checkcertificate) to 0 Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.13.4 on linux-gnu. URI encoding = `UTF-8' --2011-12-17 16:38:14-- https://patchwork.sugarlabs.org/patch/1084/mbox/ Resolving patchwork.sugarlabs.org (patchwork.sugarlabs.org)... 140.186.70.53, 2002:8cba:4635::1 Caching patchwork.sugarlabs.org => 140.186.70.53 2002:8cba:4635::1 Connecting to patchwork.sugarlabs.org (patchwork.sugarlabs.org)|140.186.70.53|:443... connected. Created socket 5. Releasing 0x0000000002216d20 (new refcount 1). WARNING: The certificate of `patchwork.sugarlabs.org' is not trusted. ---request begin--- GET /patch/1084/mbox/ HTTP/1.1 User-Agent: Wget/1.13.4 (linux-gnu) Accept: */* Host: patchwork.sugarlabs.org Connection: Keep-Alive ---request end--- HTTP request sent, awaiting response... ---response begin--- HTTP/1.1 200 OK Date: Sat, 17 Dec 2011 16:38:16 GMT Server: Apache/2.2.14 (Ubuntu) Content-Type: text/plain Content-Disposition: attachment; filename=v5-sucrose-0.94-RFC-Add-capability-to-connect-to-WPA-WPA2-Enterprise-Networks..patch Vary: Accept-Encoding Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked ---response end--- 200 OK Registered socket 5 for persistent reuse. Length: unspecified [text/plain] Saving to: `STDOUT' [ <=> ] 33,610 107K/s in 0.3s 2011-12-17 16:38:16 (107 KB/s) - written to stdout [33610] 828 2516 33610 (wheezy-jhbuild)sascha.silbe@twin:~/sugar-jhbuild/source/sugar$ -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages wget depends on: ii dpkg 1.16.1.2 ii install-info 4.13a.dfsg.1-8 ii libc6 2.13-21 ii libgcrypt11 1.5.0-3 ii libgnutls26 2.12.14-4 ii libgpg-error0 1.10-1 ii libidn11 1.23-1 ii zlib1g 1:1.2.3.4.dfsg-3 wget recommends no packages. wget suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
