Public bug reported: In the wget man page, the command line options --ca-certificate and --ca-directory have the sentence: "Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time." To me, that implies that *with* these options, the system-specified locations are *not* searched. (That would be useful if the sysadmin has installed certificates that the user doesn't trust.) However, it appears that even with these options, the system SSL directory /usr/lib/ssl/certs (symlink to /etc/ssl/certs) is still searched.
Running wget --ca-certificate=/dev/null --ca-directory=/nonexistent https://www.google.com succeeds. I would expect it to fail, having no trusted CA certificate. strace reveals that it reads a certificate from /usr/lib/ssl/certs. Either the code should be fixed, or the man page should be clarified. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: wget 1.17.1-1ubuntu1.1 ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13 Uname: Linux 4.4.0-31-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 Date: Sat Jul 23 09:12:02 2016 SourcePackage: wget UpgradeStatus: Upgraded to xenial on 2016-05-27 (57 days ago) ** Affects: wget (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to wget in Ubuntu. https://bugs.launchpad.net/bugs/1605883 Title: wget uses system CA certificates even when told not to Status in wget package in Ubuntu: New Bug description: In the wget man page, the command line options --ca-certificate and --ca-directory have the sentence: "Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time." To me, that implies that *with* these options, the system-specified locations are *not* searched. (That would be useful if the sysadmin has installed certificates that the user doesn't trust.) However, it appears that even with these options, the system SSL directory /usr/lib/ssl/certs (symlink to /etc/ssl/certs) is still searched. Running wget --ca-certificate=/dev/null --ca-directory=/nonexistent https://www.google.com succeeds. I would expect it to fail, having no trusted CA certificate. strace reveals that it reads a certificate from /usr/lib/ssl/certs. Either the code should be fixed, or the man page should be clarified. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: wget 1.17.1-1ubuntu1.1 ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13 Uname: Linux 4.4.0-31-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 Date: Sat Jul 23 09:12:02 2016 SourcePackage: wget UpgradeStatus: Upgraded to xenial on 2016-05-27 (57 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1605883/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
