[Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)

2013-12-19 Thread L Walsh 

I recently started using 1.14 of wget included with my distro's updates:
GNU Wget 1.14 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
/home/law/.wgetrc (user)
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=/etc/wgetrc
-DLOCALEDIR=/usr/share/locale -I. -I../lib -I../lib
-fmessage-length=0 -grecord-gcc-switches -O2 -Wall
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -g
Link: gcc -fmessage-length=0 -grecord-gcc-switches -O2 -Wall
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -g -lproxy /usr/lib64/libssl.so
/usr/lib64/libcrypto.so /usr/lib64/libz.so -ldl -lz -lz -lidn
ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a


-

Trouble is, it gives security warnings on almost every https
site I access.

I can't think of 1 where I didn't have to override the security
warning (and this time, I just put it in my .wgetrc file).

So why does wget get all these errors when my browsers don't?



Like here is pulling a single doc from the POSIX folks at
open group.  Anyone have an idea why certs from godaddy would
not resolve properly?

Thanks...

wget 
https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm;
--2013-12-19 20:38:25-- 
https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm

Resolving collaboration.opengroup.org (collaboration.opengroup.org)... 
64.79.149.150
Connecting to collaboration.opengroup.org 
(collaboration.opengroup.org)|64.79.149.150|:443... connected.
WARNING: cannot verify collaboration.opengroup.org's certificate, issued by 
‘/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287’:

  Self-signed certificate encountered.
HTTP request sent, awaiting response... 302 Found
Location: 
https://sso.opengroup.org/IDBUS/PROD/PHP-PLATO/JOSSO/SSO/REDIR?josso_back_to=https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.phpjosso_cmd=login_optionaljosso_partnerapp_host=collaboration.opengroup.orgjosso_partnerapp_id=plato 
[following]
--2013-12-19 20:38:26-- 
https://sso.opengroup.org/IDBUS/PROD/PHP-PLATO/JOSSO/SSO/REDIR?josso_back_to=https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.phpjosso_cmd=login_optionaljosso_partnerapp_host=collaboration.opengroup.orgjosso_partnerapp_id=plato

Resolving sso.opengroup.org (sso.opengroup.org)... 64.79.149.147
Connecting to sso.opengroup.org (sso.opengroup.org)|64.79.149.147|:443... 
connected.
WARNING: cannot verify sso.opengroup.org's certificate, issued by 
‘/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, 
Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure 
Certification Authority/serialNumber=07969287’:

  Self-signed certificate encountered.
HTTP request sent, awaiting response... 302 Found
Location: 
https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.php 
[following]
--2013-12-19 20:38:26-- 
https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.php

Reusing existing connection to collaboration.opengroup.org:443.
HTTP request sent, awaiting response... 302 Found
Location: /pegasus/pp/documents/29166/ReleaseNotes.htm [following]
--2013-12-19 20:38:26-- 
https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm

Reusing existing connection to collaboration.opengroup.org:443.
HTTP request sent, awaiting response... 200 OK
Length: 103075 (101K) [text/html]
Saving to: ‘ReleaseNotes.htm’

Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) https websites...(where browsers work)

2013-12-19 Thread Daniel Kahn Gillmor 
i think your subject line meant https instead of http, so i've
updated it.

On 12/19/2013 11:40 PM, L Walsh wrote:
 I recently started using 1.14 of wget included with my distro's updates:
 GNU Wget 1.14 built on linux-gnu.

you don't mention which distro you're using, or which version of openssl
is in place.  those would be useful pieces of information :)

 wget 
 https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm;

you're using wget with openssl.  what does openssl's own client say when
it tries to connect to the same server?

 openssl s_client -connect collaboration.opengroup.org:443

Do you have a copy of Go Daddy's level 2 root CA's certificate?  If
so, is it reachable from openssl's default CA directory ?  normally, i
think that's /etc/ssl/certs (at least it is on debian).  Is that
directory properly hashed?

have you tried passing --ca-certificate or --ca-directory (with the
appropriate arguments?) to wget?

hth,

--dkg




signature.asc
Description: OpenPGP digital signature

Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)

2013-12-19 Thread mancha 
L Walsh wget at tlinx.org writes:

 
 I recently started using 1.14 of wget included with my distro's updates:
 GNU Wget 1.14 built on linux-gnu.
  
 Trouble is, it gives security warnings on almost every https
 site I access.
 
 I can't think of 1 where I didn't have to override the security
 warning (and this time, I just put it in my .wgetrc file).
 
 So why does wget get all these errors when my browsers don't?

It appears your wget is built against the openssl library. For https
certificate verification to work in wget automagically as it does in
the major browsers, openssl needs a properly configured root
certificate store (default location: /etc/ssl/certs).

Check your distrib's documentation/support forums/mailing lists
for how to set this up. It might be a package that you can easily
install (for example, Debian and derivatives call theirs
ca-certificates).

This is not a wget issue proper.

--mancha