|Summary:||Wget doesn't recognize the certificate with alternative names|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Jeff Sheltren <sheltren>|
|Component:||wget||Assignee:||Tomáš Hozza <thozza>|
|Status:||CLOSED WONTFIX||QA Contact:||BaseOS QE - Apps <qe-baseos-apps>|
|Version:||5.9||CC:||bgilbert, imc, jennifer.sun, karsten, matt, micah, opensource, sheltren, volker27, wgold|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-12 08:44:51 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||674186|
Description Jeff Sheltren 2013-01-24 18:57:06 UTC
This bug still exists in EL5 and EL6, though it was fixed some time ago in Fedora. Any chance of a fix in RHEL 5 and 6? +++ This bug was initially created as a clone of Bug #674186 +++ Description of problem: When I try to download the recent youtube-dl release from github with spectool/wget, it fails: LANG=C wget https://github.com/rg3/youtube-dl/raw/2011.01.30/youtube-dl --2011-01-31 22:59:03-- https://github.com/rg3/youtube-dl/raw/2011.01.30/youtube-dl Resolving github.com... 220.127.116.11 Connecting to github.com|18.104.22.168|:443... connected. ERROR: certificate common name `*.github.com' doesn't match requested host name `github.com'. To connect to github.com insecurely, use `--no-check-certificate'. Looking at the certificate shows me: openssl s_client -connect github.com:443 | openssl x509 -text [...] X509v3 Subject Alternative Name: DNS:*.github.com, DNS:github.com Afaik this should mean that the certificate is valid for github.com Version-Release number of selected component (if applicable): wget-1.12-2.fc13 How reproducible: always Steps to Reproduce: 1. wget https://github.com/rg3/youtube-dl/raw/2011.01.30/youtube-dl Actual results: fails with certificate error Expected results: it should download the file --- Additional comment from Ian Collier on 2011-02-22 07:24:41 EST --- There's also a Debian bug regarding this issue (namely, failure to correctly check Subject Alternative Names for certificates): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409938 Comments on that bug say that it has been fixed upstream but there has been no new release with the fix, despite it being well over a year since the fix was committed. Would it be possible to extract the patch and add it to the current Fedora version? --- Additional comment from Volker Fröhlich on 2011-06-23 05:37:25 EDT --- http://www.geofrogger.net/review/wget-1.12-3.1.fc15.src.rpm I applied upstream's patch, but can only test by tomorrow. The Github example doesn't seem to cause problems on the original wget version anymore. --- Additional comment from Volker Fröhlich on 2011-06-23 17:14:25 EDT --- http://koji.fedoraproject.org/koji/taskinfo?taskID=3156329 I just tried it and it doesn't complain any more, where the original version did. I assume it's working. --- Additional comment from Volker Fröhlich on 2011-07-07 09:01:38 EDT --- Please respond to this ticket! --- Additional comment from Ian Collier on 2011-07-07 09:23:17 EDT --- > I just tried it and it doesn't complain any more, where the original version > did. I assume it's working. As far as I can tell, same is true here. --- Additional comment from Werner Gold on 2011-07-07 16:41:21 EDT --- Hi Karsten, same problem with the most recent version of wget in RHEL5 and www.paypal.com. Just raised a support ticket as well. --- Additional comment from Volker Fröhlich on 2011-07-16 10:27:48 EDT --- Any news so far? --- Additional comment from Fedora Update System on 2011-08-03 05:21:20 EDT --- wget-1.12-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/wget-1.12-4.fc16 --- Additional comment from Fedora Update System on 2011-08-03 05:22:24 EDT --- wget-1.12-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/wget-1.12-4.fc15 --- Additional comment from Fedora Update System on 2011-08-03 05:23:05 EDT --- wget-1.12-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/wget-1.12-4.fc14 --- Additional comment from Fedora Update System on 2011-08-03 18:53:50 EDT --- Package wget-1.12-4.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing wget-1.12-4.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/wget-1.12-4.fc14 then log in and leave karma (feedback). --- Additional comment from Matt McCutchen on 2011-08-05 22:17:52 EDT --- *** Bug 667825 has been marked as a duplicate of this bug. *** --- Additional comment from Fedora Update System on 2011-08-12 06:52:27 EDT --- wget-1.12-4.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Fedora Update System on 2011-08-12 14:22:02 EDT --- wget-1.12-4.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Fedora Update System on 2011-08-12 14:26:39 EDT --- wget-1.12-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Fedora Update System on 2011-08-22 11:24:18 EDT --- wget-1.12-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 1 Volker Fröhlich 2013-01-24 19:09:38 UTC
I had a support ticket with RH, in which it was turned down.
Comment 2 Tomáš Hozza 2013-01-25 09:45:06 UTC
This bug will be fixed *IF* wget will be approved for an update in the next RHEL 5 release.
Comment 3 Tomáš Hozza 2013-01-25 09:46:29 UTC
Created attachment 687359 [details] Upstream patch modified to fit wget-1.11.4
Comment 4 Jeff Sheltren 2013-01-25 14:37:22 UTC
Tomas, thanks for the update. The issue also remains in EL6: $ rpm -q wget wget-1.12-1.4.el6.x86_64 $ wget https://raw.github.com/rmm5t/jquery-timeago/master/jquery.timeago.js --2013-01-25 06:32:59-- https://raw.github.com/rmm5t/jquery-timeago/master/jquery.timeago.js Resolving raw.github.com... 22.214.171.124 Connecting to raw.github.com|126.96.36.199|:443... connected. ERROR: certificate common name “*.a.ssl.fastly.net” doesn’t match requested host name “raw.github.com”. To connect to raw.github.com insecurely, use ‘--no-check-certificate’.
Comment 5 Tomáš Hozza 2013-01-25 14:41:29 UTC
(In reply to comment #4) > Tomas, thanks for the update. The issue also remains in EL6: Yes, I know. There is already a Bug #736445 for this.
Comment 6 Tomáš Hozza 2013-03-12 08:44:51 UTC
I am sorry, but it is now too late in the RHEL-5 release cycle. RHEL-5.10 (the next RHEL-5 minor release) is going to be the first production phase 2  release of RHEL-5. Since phase 2 we'll be addressing only security and critical issues I am closing this bug as WONTFIX. Note that this issue is already tracked in RHEL6 (Bug #736445).  https://access.redhat.com/support/policy/updates/errata/
Comment 7 jennifer.sun 2018-06-21 02:11:17 UTC
May I know in which version of REL-Hat the bug has been fixed?