bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?

From: Tim Rühsen
Subject: Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?
Date: Mon, 16 Oct 2017 10:52:52 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 
Hi Jeffrey,


I can't reproduce your issue on the first try (Debian unstable here).


That means the issuers cert (DST Root CA X3,O=Digital Signature Trust
Co.) is part of the systems's CA cert store.

$ ls -la /etc/ssl/certs/*X3*
lrwxrwxrwx 1 root root 53 27-10-11 09:39:52
/etc/ssl/certs/DST_Root_CA_X3.pem ->
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

But now let's change the the CA directory to a place where no CAs are
stored *and* then add that X3 CA cert from
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
(saved as x3.pem).

$ wget --ca-directory=/ --ca-certificate=x3.pem
https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
(Download OK)

As a test that we really only load x3.pem:
$ wget --ca-directory=/ --ca-certificate=x3.pem https://google.com
ERROR: The certificate of ‘google.de’ is not trusted.
ERROR: The certificate of ‘google.de’ hasn't got a known issuer.
ERROR: The certificate of ‘google.de’ was signed using an insecure
algorithm.

Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
code seems not to support --ca-directory !? It succeeds with both the
above tests. While we only actively support GnuTLS, we accept OpenSSL
code patches (if you like to provide one).

With Best Regards, Tim



On 10/15/2017 05:36 AM, Jeffrey Walton wrote:
> So it looks like the behavior below is inherited from OpenSSL:
> 
> $ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org
> -CAfile ~/.cacert/lets-encrypt-root-x3.pem
> CONNECTED(00000003)
> ...
> Verify return code: 2 (unable to get issuer certificate)
> 
> However, OpenSSL also has -partial-chain (thanks to Dave Thompson) so
> we can pin trust at the cross-certified Let's Encrypt X3 root:
> 
> $ openssl s_client -connect ftp.gnu.org:443 -servername ftp.gnu.org
> -CAfile ~/.cacert/lets-encrypt-root-x3.pem -partial_chain
> CONNECTED(00000003)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = ftp.gnu.org
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=ftp.gnu.org
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
>    ...
>    Verify return code: 0 (ok)
> ---
> read:errno=0
> 
> Loog thorugh the Wget 1.18 manual
> (https://www.gnu.org/software/wget/manual/wget.html) I don't see a
> similar option.
> 
> So my question is, does Wget allow us to do the same? If so, then how
> do we do it?
> 
> Jeff
> 
> On Sat, Oct 14, 2017 at 6:53 PM, Jeffrey Walton <address@hidden> wrote:
>> I'm having trouble downloading tarballs from ftp.gnu.org using wget.
>>
>> wget --ca-certificate="$HOME/.cacert/lets-encrypt-root-x3.pem"
>> "https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz"; -O
>> libunistring-0.9.7.tar.gz
>> --2017-10-14 17:59:40--
>> https://ftp.gnu.org/gnu/libunistring/libunistring-0.9.7.tar.gz
>> Resolving ftp.gnu.org (ftp.gnu.org)... 208.118.235.20, 2001:4830:134:3::b
>> Connecting to ftp.gnu.org (ftp.gnu.org)|208.118.235.20|:443... connected.
>> ERROR: cannot verify ftp.gnu.org's certificate, issued by 'CN=Let\'s
>> Encrypt Authority X3,O=Let\'s Encrypt,C=US':
>>   unable to get issuer certificate
>> To connect to ftp.gnu.org insecurely, use `--no-check-certificate'.
>>
>> The CA file lets-encrypt-root-x3.pem is provided at
>> https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt,
>> and it is shown below. It has the CA bit set, basic constraints are
>> present, and proper key usage are present. It appears to be a valid ca
>> cert.
>>
>> The thing that looks unusual to me is, the addition of characters in
>> the distinguished name. For example, it appears Wget add a slash to
>> escape the single apostrophe in the common name.
>>
>> Does anyone have an idea what I might be doing wrong? Or if things are
>> working as expected, then how do I use the certificate to download the
>> file using Wget?
>>
>> **********
>>
>> $ wget -V
>> GNU Wget 1.19.1 built on solaris2.11.
>>
>> -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
>> +ntlm +opie -psl +ssl/openssl
>>
>> Wgetrc:
>>     /usr/local/etc/wgetrc (system)
>> Locale:
>>     /usr/local/share/locale
>> Compile:
>>     gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
>>     -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib
>>     -I/usr/local/include -DNDEBUG -D_REENTRANT -I/usr/include/pcre
>>     -DNDEBUG -m64
>> Link:
>>     gcc -I/usr/include/pcre -DNDEBUG -m64 -m64
>>     -Wl,-rpath,/usr/local/lib64 -L/usr/local/lib64 -lpcre -luuid -lidn2
>>     /usr/local/lib64/libssl.so /usr/local/lib64/libcrypto.so
>>     -R/usr/local/lib64 -ldl -lz -lssl -lcrypto -ldl -lpthread
>>     ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -lsocket -lnsl
>>     -lnsl -lnsl -lsocket -lsocket /usr/local/lib64/libiconv.so
>>     -R/usr/local/lib64 /usr/local/lib64/libunistring.so
>>     /usr/local/lib64/libiconv.so -ldl -lpthread -R/usr/local/lib64
>>     -lsocket
>>
>> **********
>>
>> $ openssl x509 -in $HOME/cacert/lets-encrypt-root-x3.pem -text -noout
>> Certificate:
>>     Data:
>>         Version: 3 (0x2)
>>         Serial Number:
>>             0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
>>     Signature Algorithm: sha256WithRSAEncryption
>>         Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
>>         Validity
>>             Not Before: Mar 17 16:40:46 2016 GMT
>>             Not After : Mar 17 16:40:46 2021 GMT
>>         Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (2048 bit)
>>                 Modulus:
>>                     00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
>>                     68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
>>                     92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
>>                     2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
>>                     79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
>>                     0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
>>                     77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
>>                     ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
>>                     fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
>>                     7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
>>                     fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
>>                     ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
>>                     80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
>>                     25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
>>                     a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
>>                     2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
>>                     0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
>>                     c3:93
>>                 Exponent: 65537 (0x10001)
>>         X509v3 extensions:
>>             X509v3 Basic Constraints: critical
>>                 CA:TRUE, pathlen:0
>>             X509v3 Key Usage: critical
>>                 Digital Signature, Certificate Sign, CRL Sign
>>             Authority Information Access:
>>                 OCSP - URI:http://isrg.trustid.ocsp.identrust.com
>>                 CA Issuers - 
>> URI:http://apps.identrust.com/roots/dstrootcax3.p7c
>>
>>             X509v3 Authority Key Identifier:
>>
>> keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
>>
>>             X509v3 Certificate Policies:
>>                 Policy: 2.23.140.1.2.1
>>                 Policy: 1.3.6.1.4.1.44947.1.1.1
>>                   CPS: http://cps.root-x1.letsencrypt.org
>>
>>             X509v3 CRL Distribution Points:
>>
>>                 Full Name:
>>                   URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl
>>
>>             X509v3 Subject Key Identifier:
>>                 A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
>>     Signature Algorithm: sha256WithRSAEncryption
>>          dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
>>          70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
>>          24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
>>          cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
>>          6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
>>          c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
>>          e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
>>          2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
>>          fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
>>          5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
>>          1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
>>          fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
>>          4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
>>          28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
>>          34:5b:b4:42
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]