|
From: | L Walsh |
Subject: | Re: [Bug-wget] wget seems to be "out of touch" with security (fails on most (all?) http websites...(where browsers work) |
Date: | Fri, 20 Dec 2013 09:03:43 -0800 |
User-agent: | Thunderbird |
mancha wrote:
L Walsh <wget <at> tlinx.org> writes:I recently started using 1.14 of wget included with my distro's updates: GNU Wget 1.14 built on linux-gnu.Trouble is, it gives security warnings on almost every httpssite I access. I can't think of 1 where I didn't have to override the security warning (and this time, I just put it in my .wgetrc file). So why does wget get all these errors when my browsers don't?It appears your wget is built against the openssl library. For https certificate verification to work in wget automagically as it does in the major browsers, openssl needs a properly configured root certificate store (default location: /etc/ssl/certs).
---- I have the latest ca-certificates for opensuse 13.1 installed:
rpm -ql ca-certificates
/etc/ca-certificates /etc/ca-certificates/update.d /etc/pki /etc/pki/trust /etc/pki/trust/anchors /etc/pki/trust/blacklist /etc/ssl/ca-bundle.pem /etc/ssl/certs /usr/lib/ca-certificates /usr/lib/ca-certificates/update.d /usr/lib/ca-certificates/update.d/certbundle.run /usr/lib/ca-certificates/update.d/etc_ssl.run /usr/lib/ca-certificates/update.d/java.run /usr/lib/ca-certificates/update.d/openssl.run /usr/sbin/update-ca-certificates /usr/share/doc/packages/ca-certificates /usr/share/doc/packages/ca-certificates/COPYING /usr/share/doc/packages/ca-certificates/README /usr/share/man/man8/update-ca-certificates.8.gz /usr/share/pki /usr/share/pki/trust /usr/share/pki/trust/anchors /usr/share/pki/trust/blacklist /var/lib/ca-certificates /var/lib/ca-certificates/ca-bundle.pem /var/lib/ca-certificates/java-cacerts /var/lib/ca-certificates/openssl /var/lib/ca-certificates/pem ------------------ It shows files in /etc/ssl as well as other places. But at the end of the update script, I notice a message: if ($foundignored) {print STDERR "\n* = CA Certificates in /etc/ssl/certs are only seen by some legacy applications.
To install CA-Certificates globally move them to /etc/pki/trust/ancors instead!\n"; } Perhaps wget isn't using the new location?
Check your distrib's documentation/support forums/mailing lists for how to set this up. It might be a package that you can easily install (for example, Debian and derivatives call theirs "ca-certificates"). This is not a wget issue proper. --mancha
[Prev in Thread] | Current Thread | [Next in Thread] |