IE had a bug reported:
http://online.securityfocus.com/archive/1/286895/2002-08-08/2002-08-14/1
http://www.theregister.co.uk/content/4/26620.html
The problem exists in wget.
Openssl doesn't install the certs in the proper directory by default.
Use "openssl ca" to find the directory - the path up to the last part
is the directory that should have a certs directory. Doing "make
rehash" when building openssl, and copying the contents of the certs
directory to the target will fix this.
If Openssl is broken, e.g. no certs installed, this will cause wget not
to work.
Attached is a patch that correctly handles cert verification. You may
want to add better error messages or a command line override.
Alternately you can include your own cert chain file and set the
directory or paths, etc. but this is a quick fix and openssl should be
set up properly anyway.
diff -Bbur wget-1.8.2/src/gen_sslfunc.c wget-1.8.2-fix/src/gen_sslfunc.c
--- wget-1.8.2/src/gen_sslfunc.c 2002-05-17 23:14:48.000000000 -0400
+++ wget-1.8.2-fix/src/gen_sslfunc.c 2002-08-18 22:05:34.000000000 -0400
@@ -135,6 +135,7 @@
meth = SSLv23_client_method ();
*ctx = SSL_CTX_new (meth);
SSL_CTX_set_verify (*ctx, verify, verify_callback);
+ SSL_CTX_set_default_verify_paths (*ctx);
if (*ctx == NULL) return SSLERRCTXCREATE;
if (opt.sslcertfile)
{
@@ -154,6 +155,9 @@
Returns 0 if everything went right
Returns 1 if something went wrong ----- TODO: More exit codes
*/
+
+static int goodcert;
+
int
connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
{
@@ -161,6 +165,8 @@
SSL_set_fd (*con, fd);
SSL_set_connect_state (*con);
SSL_connect (*con);
+ if( !goodcert )
+ return 1;
if ((*con)->state != SSL_ST_OK)
return 1;
/*while((SSLerror=ERR_get_error())!=0)
@@ -188,6 +194,7 @@
{
char *s, buf[256];
s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert),
buf, 256);
+ goodcert = ok;
if (ok == 0) {
switch (ctx->error) {
case X509_V_ERR_CERT_NOT_YET_VALID:
