Bug 903756

Summary: Wget doesn't recognize the certificate with alternative names
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Sheltren <sheltren>
Component: wgetAssignee: Tomáš Hozza <thozza>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.9CC: bgilbert, imc, jennifer.sun, karsten, matt, micah, opensource, sheltren, volker27, wgold
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 674186 Environment:
Last Closed: 2013-03-12 08:44:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 674186    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch modified to fit wget-1.11.4 none

Description Jeff Sheltren 2013-01-24 18:57:06 UTC 
This bug still exists in EL5 and EL6, though it was fixed some time ago in Fedora.  Any chance of a fix in RHEL 5 and 6?

+++ This bug was initially created as a clone of Bug #674186 +++

Description of problem:
When I try to download the recent youtube-dl release from github with spectool/wget, it fails:

LANG=C wget https://github.com/rg3/youtube-dl/raw/2011.01.30/youtube-dl
--2011-01-31 22:59:03--  https://github.com/rg3/youtube-dl/raw/2011.01.30/youtube-dl
Resolving github.com... 207.97.227.239
Connecting to github.com|207.97.227.239|:443... connected.
ERROR: certificate common name `*.github.com' doesn't match requested host name `github.com'.
To connect to github.com insecurely, use `--no-check-certificate'.

Looking at the certificate shows me:
openssl s_client -connect github.com:443 | openssl x509 -text
[...]
            X509v3 Subject Alternative Name: 
                DNS:*.github.com, DNS:github.com

Afaik this should mean that the certificate is valid for github.com

Version-Release number of selected component (if applicable):
wget-1.12-2.fc13

How reproducible:
always

Steps to Reproduce:
1. wget https://github.com/rg3/youtube-dl/raw/2011.01.30/youtube-dl
  
Actual results:
fails with certificate error

Expected results:
it should download the file

--- Additional comment from Ian Collier on 2011-02-22 07:24:41 EST ---

There's also a Debian bug regarding this issue (namely, failure to correctly check Subject Alternative Names for certificates):

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409938

Comments on that bug say that it has been fixed upstream but there has been no new release with the fix, despite it being well over a year since the fix was committed.

Would it be possible to extract the patch and add it to the current Fedora version?

--- Additional comment from Volker Fröhlich on 2011-06-23 05:37:25 EDT ---

http://www.geofrogger.net/review/wget-1.12-3.1.fc15.src.rpm

I applied upstream's patch, but can only test by tomorrow. The Github example doesn't seem to cause problems on the original wget version anymore.

--- Additional comment from Volker Fröhlich on 2011-06-23 17:14:25 EDT ---

http://koji.fedoraproject.org/koji/taskinfo?taskID=3156329

I just tried it and it doesn't complain any more, where the original version did. I assume it's working.

--- Additional comment from Volker Fröhlich on 2011-07-07 09:01:38 EDT ---

Please respond to this ticket!

--- Additional comment from Ian Collier on 2011-07-07 09:23:17 EDT ---

> I just tried it and it doesn't complain any more, where the original version
> did. I assume it's working.

As far as I can tell, same is true here.

--- Additional comment from Werner Gold on 2011-07-07 16:41:21 EDT ---

Hi Karsten,

same problem with the most recent version of wget in RHEL5 and www.paypal.com. Just raised a support ticket as well.

--- Additional comment from Volker Fröhlich on 2011-07-16 10:27:48 EDT ---

Any news so far?

--- Additional comment from Fedora Update System on 2011-08-03 05:21:20 EDT ---

wget-1.12-4.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/wget-1.12-4.fc16

--- Additional comment from Fedora Update System on 2011-08-03 05:22:24 EDT ---

wget-1.12-4.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/wget-1.12-4.fc15

--- Additional comment from Fedora Update System on 2011-08-03 05:23:05 EDT ---

wget-1.12-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/wget-1.12-4.fc14

--- Additional comment from Fedora Update System on 2011-08-03 18:53:50 EDT ---

Package wget-1.12-4.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing wget-1.12-4.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/wget-1.12-4.fc14
then log in and leave karma (feedback).

--- Additional comment from Matt McCutchen on 2011-08-05 22:17:52 EDT ---

*** Bug 667825 has been marked as a duplicate of this bug. ***

--- Additional comment from Fedora Update System on 2011-08-12 06:52:27 EDT ---

wget-1.12-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2011-08-12 14:22:02 EDT ---

wget-1.12-4.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2011-08-12 14:26:39 EDT ---

wget-1.12-4.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2011-08-22 11:24:18 EDT ---

wget-1.12-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 1 Volker Fröhlich 2013-01-24 19:09:38 UTC 
I had a support ticket with RH, in which it was turned down.
Comment 2 Tomáš Hozza 2013-01-25 09:45:06 UTC 
This bug will be fixed *IF* wget will be approved for an update in the next RHEL 5
release.
Comment 3 Tomáš Hozza 2013-01-25 09:46:29 UTC 
Created attachment 687359 [details]
Upstream patch modified to fit wget-1.11.4
Comment 4 Jeff Sheltren 2013-01-25 14:37:22 UTC 
Tomas, thanks for the update.  The issue also remains in EL6:

$ rpm -q wget
wget-1.12-1.4.el6.x86_64

$ wget https://raw.github.com/rmm5t/jquery-timeago/master/jquery.timeago.js
--2013-01-25 06:32:59--  https://raw.github.com/rmm5t/jquery-timeago/master/jquery.timeago.js
Resolving raw.github.com... 199.27.75.193
Connecting to raw.github.com|199.27.75.193|:443... connected.
ERROR: certificate common name “*.a.ssl.fastly.net” doesn’t match requested host name “raw.github.com”.
To connect to raw.github.com insecurely, use ‘--no-check-certificate’.
Comment 5 Tomáš Hozza 2013-01-25 14:41:29 UTC 
(In reply to comment #4)
> Tomas, thanks for the update.  The issue also remains in EL6:

Yes, I know. There is already a Bug #736445 for this.
Comment 6 Tomáš Hozza 2013-03-12 08:44:51 UTC 
I am sorry, but it is now too late in the RHEL-5 release cycle.
RHEL-5.10 (the next RHEL-5 minor release) is going to be the first
production phase 2 [1] release of RHEL-5. Since phase 2 we'll be addressing
only security and critical issues I am closing this bug as WONTFIX.
Note that this issue is already tracked in RHEL6 (Bug #736445).

[1] https://access.redhat.com/support/policy/updates/errata/
Comment 7 jennifer.sun 2018-06-21 02:11:17 UTC 
May I know in which version of REL-Hat the bug has been fixed?
Comment 8 Jeff Sheltren 2018-06-21 14:13:29 UTC 
(In reply to jennifer.sun from comment #7)
> May I know in which version of REL-Hat the bug has been fixed?

It was fixed in EL6 with this update: https://access.redhat.com/errata/RHBA-2014:1408