A method to bypass SSL certificate name vs. host name verification via NUL ('\0') character embedded in X509 certificate's CommonName or subjectAltName was presented at Black Hat USA 2009: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike Similar problem affected wget (from a testing and very quick look at the code, subjectAltNames are not supported, hence only CommonName is a vector). Upstream bug report: http://savannah.gnu.org/bugs/?27183 (currently not public) Contents of upstream bug report, leaked via wget-notify list: http://addictivecode.org/pipermail/wget-notify/2009-August/001808.html Upstream fixes: http://hg.addictivecode.org/wget/mainline/rev/2d8c76a23e7d http://hg.addictivecode.org/wget/mainline/rev/f2d2ca32fd1b http://hg.addictivecode.org/wget/mainline/rev/1eab157d3be7
wget 1.12 was released including this fix: http://permalink.gmane.org/gmane.comp.web.wget.general/8972
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2009:1549 https://rhn.redhat.com/errata/RHSA-2009-1549.html
wget-1.12-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/wget-1.12-1.fc11
wget-1.12-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/wget-1.12-1.fc12
wget-1.12-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/wget-1.12-1.fc10
wget-1.12-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/wget-1.12-2.fc12
wget-1.12-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
wget-1.12-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
wget-1.12-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.