Package: wget Version: 1.12-2.1 Severity: important Tags: security
Hi. wget seems to fall back using the system installed certificates (/etc/ssl/certs) for validating server certs, even if the --ca-certificate= AND/OR --ca-directory= are given, e.g. wget --ca-certificate=/dev/null --ca-directory=/tmp/emptydir https://example.org/ The manpage says however: Without this option Wget looks for CA certificates at the system- specified locations, chosen at OpenSSL installation time. Which implies, that it does not, if at least one of the two options is given. This might be even very security critical, imagine that I wan't to download a very important file, assuring that the server uses the _right_ certificate, issued by the _right_ CA (and not just any of the dozen CAs installed). I'd do something like: wget --ca-certificate=myOwnSuperSecureCAcert https://example.org/superImportantContent and expect that it only accepts the SSL handshake if the server cert is issued by myOwnSuperSecureCAcert. It does however, if any of the system installed CAs issued it. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
