Bug 186916 – wget bug when retrieving https-sites

Bug 186916 - wget bug when retrieving https-sites

Summary:	wget bug when retrieving https-sites

Status:	CLOSED DEFERRED

Aliases:	None

Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	openssl (Show other bugs)
Sub Component:
Version:	3.0
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-03-27 09:16 EST by Stephan Hendl
Modified:	2007-11-30 17:07 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-04-03 17:43:33 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Stephan Hendl 2006-03-27 09:16:24 EST

Description of problem:
wget uses the ca-bundle.crt file provided by openssl as standard reference for
CAs. This file is very old ;-((. Esp. certificates provided by TC TrustCenter
which are valid until 2011 are not in it.

The man page says that if you add a parameter "--ca-certificate=<filename>" wget
would use this file as an input - but it doesn't work. The validity of the
server certificate for the host "www.internetwache.brandenburg.de" ends an
05/02/2006.


Version-Release number of selected component (if applicable):
wget-1.10.2-0.30E

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:
root@pns8:~# wget --ca-certificate="/root/tcclass3-2011.pem" 
https://www.internetwache.brandenburg.de
--16:17:32--  https://www.internetwache.brandenburg.de/
           => `index.html'
Resolving www.internetwache.brandenburg.de... 194.76.232.166
Connecting to www.internetwache.brandenburg.de|194.76.232.166|:443... connected.
ERROR: Certificate verification error for www.internetwache.brandenburg.de:
certificate has expired
To connect to www.internetwache.brandenburg.de insecurely, use
`--no-check-certificate'.
Unable to establish SSL connection.

Expected results:
no errors

Additional info:

Comment 2 Tomas Mraz 2006-04-03 17:43:33 EDT

You can modify the contents of the ca-bundle.crt file to include the
certificates which are relevant for you. It is even more secure to include
strictly only the certificates of CAs which you trust and whose policies you
have read.

This problem will be resolved in a future major release of Red Hat Enterprise
Linux. Red Hat does not currently plan to provide a resolution for this in a Red
Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.

Comment 3 Tomas Mraz 2006-04-03 17:44:24 EDT

Closed - Deferred

Note You need to log in before you can comment on or make changes to this bug.