Re: [Bug-wget] wget seems to be "out of touch" with security (fails on most (all?) http websites...(where browsers work)

Fri, 20 Dec 2013 09:04:21 -0800 


mancha wrote:

L Walsh <wget <at> tlinx.org> writes:


I recently started using 1.14 of wget included with my distro's updates:
GNU Wget 1.14 built on linux-gnu.

 
Trouble is, it gives security warnings on almost every https

site I access.

I can't think of 1 where I didn't have to override the security
warning (and this time, I just put it in my .wgetrc file).

So why does wget get all these errors when my browsers don't?


It appears your wget is built against the openssl library. For https
certificate verification to work in wget automagically as it does in
the major browsers, openssl needs a properly configured root
certificate store (default location: /etc/ssl/certs).

----
I have the latest ca-certificates for opensuse 13.1 installed:

rpm -ql ca-certificates

/etc/ca-certificates
/etc/ca-certificates/update.d
/etc/pki
/etc/pki/trust
/etc/pki/trust/anchors
/etc/pki/trust/blacklist
/etc/ssl/ca-bundle.pem
/etc/ssl/certs
/usr/lib/ca-certificates
/usr/lib/ca-certificates/update.d
/usr/lib/ca-certificates/update.d/certbundle.run
/usr/lib/ca-certificates/update.d/etc_ssl.run
/usr/lib/ca-certificates/update.d/java.run
/usr/lib/ca-certificates/update.d/openssl.run
/usr/sbin/update-ca-certificates
/usr/share/doc/packages/ca-certificates
/usr/share/doc/packages/ca-certificates/COPYING
/usr/share/doc/packages/ca-certificates/README
/usr/share/man/man8/update-ca-certificates.8.gz
/usr/share/pki
/usr/share/pki/trust
/usr/share/pki/trust/anchors
/usr/share/pki/trust/blacklist
/var/lib/ca-certificates
/var/lib/ca-certificates/ca-bundle.pem
/var/lib/ca-certificates/java-cacerts
/var/lib/ca-certificates/openssl
/var/lib/ca-certificates/pem
------------------
It shows files in /etc/ssl as well as other places.

But at the end of the update script, I notice a message:
if ($foundignored)
{

  print STDERR "\n* = CA Certificates in /etc/ssl/certs are only seen by some 
legacy applications.

To install CA-Certificates globally move them to /etc/pki/trust/ancors 
instead!\n";
}

Perhaps wget isn't using the new location?












Check your distrib's documentation/support forums/mailing lists
for how to set this up. It might be a package that you can easily
install (for example, Debian and derivatives call theirs
"ca-certificates").

This is not a wget issue proper.

--mancha































					Reply via email to