Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
mancha wrote: L Walsh wget at tlinx.org writes: I recently started using 1.14 of wget included with my distro's updates: GNU Wget 1.14 built on linux-gnu. Trouble is, it gives security warnings on almost every https site I access. I can't think of 1 where I didn't have to override the security warning (and this time, I just put it in my .wgetrc file). So why does wget get all these errors when my browsers don't? It appears your wget is built against the openssl library. For https certificate verification to work in wget automagically as it does in the major browsers, openssl needs a properly configured root certificate store (default location: /etc/ssl/certs). - What format file does wget require? I noticed in /etc/ssl/certs: README.RootCerts: The OpenSSL project does not (any longer) include root CA certificates. (and a suggestion to go read an FAQ (not in same dir -- have to find it) other than that -- a bunch of .pem files but only for local daemons (likely self-signed... imaps stuff mostly. --- I noticed firefox points at the /etc/pki/nssdb, where I see cert9.db, key4.db and pkcs11.txt (all dated Dec 9)... would wget be able to read those? That seems to be where the current cert-store is...but not in pem (FWIW -- one would think SUSE would have set this up in advance for their distro version of wget... but I guess that'd be too much like right...sigh)
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
On Saturday 21 December 2013 16:51:56 L Walsh wrote: mancha wrote: L Walsh wget at tlinx.org writes: I recently started using 1.14 of wget included with my distro's updates: GNU Wget 1.14 built on linux-gnu. Trouble is, it gives security warnings on almost every https site I access. I can't think of 1 where I didn't have to override the security warning (and this time, I just put it in my .wgetrc file). So why does wget get all these errors when my browsers don't? It appears your wget is built against the openssl library. For https certificate verification to work in wget automagically as it does in the major browsers, openssl needs a properly configured root certificate store (default location: /etc/ssl/certs). - What format file does wget require? in your build, wget uses openssl, and thus openssl is doing the cert parsing. wget has no idea about file format. I noticed firefox points at the /etc/pki/nssdb that's because firefox uses nss, and nss does all the parsing -mike signature.asc Description: This is a digitally signed message part.
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
On Fri, 20 Dec 2013, mancha wrote: This is not a wget issue proper. If it only warns and still continues and gets the content, I would still call it a problem. -- / daniel.haxx.se
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
Daniel Stenberg daniel at haxx.se writes: On Fri, 20 Dec 2013, mancha wrote: This is not a wget issue proper. If it only warns and still continues and gets the content, I would still call it a problem. I believe it continues because of an explicit user override of default behavior (--no-check-certificate). The reporter can confirm that, of course. --mancha
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
mancha wrote:
L Walsh wget at tlinx.org writes:
I recently started using 1.14 of wget included with my distro's updates:
GNU Wget 1.14 built on linux-gnu.
Trouble is, it gives security warnings on almost every https
site I access.
I can't think of 1 where I didn't have to override the security
warning (and this time, I just put it in my .wgetrc file).
So why does wget get all these errors when my browsers don't?
It appears your wget is built against the openssl library. For https
certificate verification to work in wget automagically as it does in
the major browsers, openssl needs a properly configured root
certificate store (default location: /etc/ssl/certs).
I have the latest ca-certificates for opensuse 13.1 installed:
rpm -ql ca-certificates
/etc/ca-certificates
/etc/ca-certificates/update.d
/etc/pki
/etc/pki/trust
/etc/pki/trust/anchors
/etc/pki/trust/blacklist
/etc/ssl/ca-bundle.pem
/etc/ssl/certs
/usr/lib/ca-certificates
/usr/lib/ca-certificates/update.d
/usr/lib/ca-certificates/update.d/certbundle.run
/usr/lib/ca-certificates/update.d/etc_ssl.run
/usr/lib/ca-certificates/update.d/java.run
/usr/lib/ca-certificates/update.d/openssl.run
/usr/sbin/update-ca-certificates
/usr/share/doc/packages/ca-certificates
/usr/share/doc/packages/ca-certificates/COPYING
/usr/share/doc/packages/ca-certificates/README
/usr/share/man/man8/update-ca-certificates.8.gz
/usr/share/pki
/usr/share/pki/trust
/usr/share/pki/trust/anchors
/usr/share/pki/trust/blacklist
/var/lib/ca-certificates
/var/lib/ca-certificates/ca-bundle.pem
/var/lib/ca-certificates/java-cacerts
/var/lib/ca-certificates/openssl
/var/lib/ca-certificates/pem
--
It shows files in /etc/ssl as well as other places.
But at the end of the update script, I notice a message:
if ($foundignored)
{
print STDERR \n* = CA Certificates in /etc/ssl/certs are only seen by some
legacy applications.
To install CA-Certificates globally move them to /etc/pki/trust/ancors
instead!\n;
}
Perhaps wget isn't using the new location?
Check your distrib's documentation/support forums/mailing lists
for how to set this up. It might be a package that you can easily
install (for example, Debian and derivatives call theirs
ca-certificates).
This is not a wget issue proper.
--mancha
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
On Friday 20 December 2013 12:03:43 L Walsh wrote: Perhaps wget isn't using the new location? openssl manages its cert locations itself, not wget. file a bug for your distro. -mike signature.asc Description: This is a digitally signed message part.
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
Am Freitag, 20. Dezember 2013, 09:03:43 schrieb L Walsh:
But at the end of the update script, I notice a message:
if ($foundignored)
{
print STDERR \n* = CA Certificates in /etc/ssl/certs are only seen by
some legacy applications.
To install CA-Certificates globally move them to /etc/pki/trust/ancors
instead!\n; }
Perhaps wget isn't using the new location?
Wget is using /etc/ssl/certs by default.
If the distribution uses a different directory, the package maintainer should
change the default directory either by providing a patch or by specifying the
directory in /etc/wgetrc.
Have a look into /etc/sl/certs and /etc/pki/trust/ancors, which of them fits
your needs.
Assuming you want /etc/pki/trust/ancors as the certificate directory, put it
into /etc/wgetrc (or into ~/.wgetrc):
cadirectory=/etc/pki/trust/ancors
BTW, the 'Go Daddy' certs are named here (Debian SID) Go_Daddy_*
It is a good idea to submit a bug report for the wget package of your dist (if
it hasn't already be done by someone else).
Regards, Tim
signature.asc
Description: This is a digitally signed message part.
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
Am Freitag, 20. Dezember 2013, 13:54:12 schrieb Mike Frysinger: On Friday 20 December 2013 12:03:43 L Walsh wrote: Perhaps wget isn't using the new location? openssl manages its cert locations itself, not wget. file a bug for your distro. You are right. What I wrote before about /etc/ssl/certs counts for Wget +gnutls only. Sorry. Tim signature.asc Description: This is a digitally signed message part.
[Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
I recently started using 1.14 of wget included with my distro's updates: GNU Wget 1.14 built on linux-gnu. +digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl Wgetrc: /home/law/.wgetrc (user) /etc/wgetrc (system) Locale: /usr/share/locale Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC=/etc/wgetrc -DLOCALEDIR=/usr/share/locale -I. -I../lib -I../lib -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g Link: gcc -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -lproxy /usr/lib64/libssl.so /usr/lib64/libcrypto.so /usr/lib64/libz.so -ldl -lz -lz -lidn ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a - Trouble is, it gives security warnings on almost every https site I access. I can't think of 1 where I didn't have to override the security warning (and this time, I just put it in my .wgetrc file). So why does wget get all these errors when my browsers don't? Like here is pulling a single doc from the POSIX folks at open group. Anyone have an idea why certs from godaddy would not resolve properly? Thanks... wget https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm; --2013-12-19 20:38:25-- https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm Resolving collaboration.opengroup.org (collaboration.opengroup.org)... 64.79.149.150 Connecting to collaboration.opengroup.org (collaboration.opengroup.org)|64.79.149.150|:443... connected. WARNING: cannot verify collaboration.opengroup.org's certificate, issued by ‘/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287’: Self-signed certificate encountered. HTTP request sent, awaiting response... 302 Found Location: https://sso.opengroup.org/IDBUS/PROD/PHP-PLATO/JOSSO/SSO/REDIR?josso_back_to=https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.phpjosso_cmd=login_optionaljosso_partnerapp_host=collaboration.opengroup.orgjosso_partnerapp_id=plato [following] --2013-12-19 20:38:26-- https://sso.opengroup.org/IDBUS/PROD/PHP-PLATO/JOSSO/SSO/REDIR?josso_back_to=https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.phpjosso_cmd=login_optionaljosso_partnerapp_host=collaboration.opengroup.orgjosso_partnerapp_id=plato Resolving sso.opengroup.org (sso.opengroup.org)... 64.79.149.147 Connecting to sso.opengroup.org (sso.opengroup.org)|64.79.149.147|:443... connected. WARNING: cannot verify sso.opengroup.org's certificate, issued by ‘/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287’: Self-signed certificate encountered. HTTP request sent, awaiting response... 302 Found Location: https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.php [following] --2013-12-19 20:38:26-- https://collaboration.opengroup.org/josso/josso-php-partnerapp/josso-security-check.php Reusing existing connection to collaboration.opengroup.org:443. HTTP request sent, awaiting response... 302 Found Location: /pegasus/pp/documents/29166/ReleaseNotes.htm [following] --2013-12-19 20:38:26-- https://collaboration.opengroup.org/pegasus/pp/documents/29166/ReleaseNotes.htm Reusing existing connection to collaboration.opengroup.org:443. HTTP request sent, awaiting response... 200 OK Length: 103075 (101K) [text/html] Saving to: ‘ReleaseNotes.htm’
Re: [Bug-wget] wget seems to be out of touch with security (fails on most (all?) http websites...(where browsers work)
L Walsh wget at tlinx.org writes: I recently started using 1.14 of wget included with my distro's updates: GNU Wget 1.14 built on linux-gnu. Trouble is, it gives security warnings on almost every https site I access. I can't think of 1 where I didn't have to override the security warning (and this time, I just put it in my .wgetrc file). So why does wget get all these errors when my browsers don't? It appears your wget is built against the openssl library. For https certificate verification to work in wget automagically as it does in the major browsers, openssl needs a properly configured root certificate store (default location: /etc/ssl/certs). Check your distrib's documentation/support forums/mailing lists for how to set this up. It might be a package that you can easily install (for example, Debian and derivatives call theirs ca-certificates). This is not a wget issue proper. --mancha
