Bug 667825 - wget feature request: support for SAN/UCC SSL Certs RFC 3280 part 4.2.1.7
Summary: wget feature request: support for SAN/UCC SSL Certs RFC 3280 part 4.2.1.7
Status: CLOSED DUPLICATE of bug 674186
Alias: None
Product: Fedora
Classification: Fedora
Component: wget
Version: 14
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Karsten Hopp
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-06 22:12 UTC by Matt McCutchen
Modified: 2011-08-06 02:17 UTC (History)
4 users (show)

(edit)
Clone Of: 569716
(edit)
Last Closed: 2011-08-06 02:17:52 UTC


Attachments (Terms of Use)

Description Matt McCutchen 2011-01-06 22:12:39 UTC
Bug 569716 has been zapped but still affects Fedora 14, and no one has reopened it in a month after my comment, so I am cloning it.  If the noise annoys you, see bug 573535.

+++ This bug was initially created as a clone of Bug #569716 +++

Description of problem:

In order to save on IP addresses for multiple related SSL sites, we wish to implement SAN/UCC SSL Certs with multiple 'altername name' fields. We have done this in testing and have found that several of our clients back end systems do not check the altername name and throw security errors. We use wget for much scripting, and I have tested against our test site and found it does not follow this part of this rfc. This can be worked around with --no-check-certificate but it would be better if wget could correctly validate these certs natively so that security can be preserved.


Version-Release number of selected component (if applicable):

Tested on "GNU Wget 1.12 built on linux-gnu." but all versions expected incompatible. 

How reproducible:

Every time

Steps to Reproduce:
1. Set up a server with a SANS/UCC SSL Certificate
2. Attempt to download a test file via a URL specified in the Alternate Name Field
3. Observe error.
  
Actual results:

[ant@ant ~]$ wget 'https://syd.xxxxxxxxx.net.au/cc/cc2.cgi?cid=58111226666'
--2010-03-02 17:00:42--  https://syd.xxxxxxxxx.net.au/cc/cc2.cgi?cid=58111226666
Resolving syd.xxxxxxxxx.net.au... 222.222.222.222
Connecting to syd.xxxxxxxxx.net.au|222.222.222.22|:443... connected.
ERROR: cannot verify syd.xxxxxxxxx.net.au’s certificate, issued by “/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=123456”:
  Unable to locally verify the issuer’s authority.
ERROR: certificate common name “xxxxxxxxx.net.au” doesn’t match requested host name “syd.xxxxxxxxx.net.au”.
To connect to syd.xxxxxxxxx.net.au insecurely, use ‘--no-check-certificate’.


Expected results:

[ant@ant ~]$ wget 'https://syd.xxxxxxxxx.net.au/cc/cc2.cgi?cid=58111226666'
--2010-03-02 17:21:32--  https://syd.xxxxxxxxx.net.au/cc/cc2.cgi?cid=58111226666
Resolving syd.xxxxxxxxx.net.au... 222.222.222.22
Connecting to syd.xxxxxxxxx.net.au|222.222.222.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “cc2.cgi?cid=58111226666”

    [ <=>                                                                                                   ] 2,910       --.-K/s   in 0.03s   

2010-03-02 17:21:32 (97.7 KB/s) - “cc2.cgi?cid=58111226666” saved [2910]

Additional info:

This functionality is defined in RFC3280 part 4.2.1.7.
http://www.ietf.org/rfc/rfc3280.txt

If this functionality was supported and pushed upstream to the wget project it would probably do a lot of people a lot of good in both the wallet and for security. This would also be very good for RHEL, but im hoping its seen here and also ends up in RHEL 6. :)

--- Additional comment from matt@mattmccutchen.net on 2010-08-15 03:59:25 EDT ---

This is fixed upstream but unreleased:

https://savannah.gnu.org/bugs/index.php?20421

--- Additional comment from triage@lists.fedoraproject.org on 2010-11-03 16:59:40 EDT ---


This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

--- Additional comment from triage@lists.fedoraproject.org on 2010-12-03 17:09:22 EST ---


Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

--- Additional comment from matt@mattmccutchen.net on 2010-12-03 22:06:46 EST ---

The problem still exists with wget-1.12-2.fc13.x86_64 in Fedora 14.

$ wget https://mattmccutchen.net/
--2010-12-03 21:47:34--  https://mattmccutchen.net/
Resolving mattmccutchen.net... 75.119.219.170
Connecting to mattmccutchen.net|75.119.219.170|:443... connected.
ERROR: certificate common name “www.mattmccutchen.net” doesn’t match requested host name “mattmccutchen.net”.
To connect to mattmccutchen.net insecurely, use ‘--no-check-certificate’.

Comment 1 Matt McCutchen 2011-08-06 02:17:52 UTC

*** This bug has been marked as a duplicate of bug 674186 ***


Note You need to log in before you can comment on or make changes to this bug.