Re: [Bug-wget] --no-check-cert does not avoid cert warning

[Tim Rühsen]

There is the situation where --no-check-cert is implicitly set (.wgetrc, 
/etc/wgetrc, alias) and the user isn't aware of it. Just downloading without a 
warning opens a huge security hole because you can't verify where you 
downloaded it from (DNS attacks, MITM).
I leave it to your imagination what could happen to people in unsafe 
countries... this warning could save lives.

For an expert like Karl, this is just annoying.

The warning text could be worked on, makeing clear that you are really leaving 
secure ground, that cert checking has been explicitly turned off and how to 
turn it on again. And only proceed if you really, really are aware of what you 
are doing.

Of course all this applies to HTTP (plain text) as well. But someone 
requesting HTTPS and than dropping the gained security should be warned by 
default.

My thinking is a pessimistic approach, but as long as you can't be 100% sure 
that bad things can't happend due to dropping the warning, we should leave it 
(and improve it the best we can).

Tim


Am Montag, 30. November 2015, 15:27:08 schrieb Giuseppe Scrivano:
> Hi Karl,
> 
> Karl Berry  writes:
> > With wget 1.17 (at least),
> > 
> > $ wget -nv --no-check-cert https://www.gnu.org -O /dev/null
> > 
> > WARNING: cannot verify www.gnu.org's certificate, issued by 'CN=Gandi 
Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR':
> >   Unable to locally verify the issuer's authority.
> > 
> > Maybe I'm crazy, but it seems like pointless noise to complain that a
> > certificate cannot be verified when wget has been explicitly told not to
> > check it.  Looking at the source, the only way I see to get rid of the
> > warning is with --silent, which would also eliminate real errors.
> 
> the only difference with --no-check-cert is that wget will fail and exit
> immediately when the certificate is not valid.  The idea behind
> --no-check-cert was probably to not abort the execution of wget but
> still inform the user about an invalid certificate, as the documentation
> says:
> 
>   This option forces an ``insecure'' mode of
>   operation that turns the certificate verification errors into warnings
>   and allows you to proceed.
> 
> I am personally in favor of dropping the warning, as it is doing
> something the user asked to not do.
> 
> Anybody has something against this patch?
> 
> Regards,
> Giuseppe
> 
> diff --git a/doc/wget.texi b/doc/wget.texi
> index c647e33..6aeda72 100644
> --- a/doc/wget.texi
> +++ b/doc/wget.texi
> @@ -1714,9 +1714,7 @@ handshake and aborting the download if the
> verification fails. Although this provides more secure downloads, it does
> break
>  interoperability with some sites that worked with previous Wget
>  versions, particularly those using self-signed, expired, or otherwise
> -invalid certificates.  This option forces an ``insecure'' mode of
> -operation that turns the certificate verification errors into warnings
> -and allows you to proceed.
> +invalid certificates.
> 
>  If you encounter ``certificate verification'' errors or ones saying
>  that ``common name doesn't match requested host name'', you can use
> diff --git a/src/gnutls.c b/src/gnutls.c
> index d1444fe..b48e4e8 100644
> --- a/src/gnutls.c
> +++ b/src/gnutls.c
> @@ -686,12 +686,13 @@ ssl_check_certificate (int fd, const char *host)
> 
>unsigned int status;
>int err;
> -
> -  /* If the user has specified --no-check-cert, we still want to warn
> - him about problems with the server's certificate.  */
> -  const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
> +  const char *severity = _("ERROR");
>bool success = true;
> 
> +  /* The user explicitly said to not check for the certificate.  */
> +  if (!opt.check_cert)
> +return success;
> +
>err = gnutls_certificate_verify_peers2 (ctx->session, );
>if (err < 0)
>  {
> @@ -766,5 +767,5 @@ ssl_check_certificate (int fd, const char *host)
>  }
> 
>   out:
> -  return opt.check_cert ? success : true;
> +  return success;
>  }
> diff --git a/src/openssl.c b/src/openssl.c
> index 4876048..f5fe675 100644
> --- a/src/openssl.c
> +++ b/src/openssl.c
> @@ -673,15 +673,15 @@ ssl_check_certificate (int fd, const char *host)
>long vresult;
>bool success = true;
>bool alt_name_checked = false;
> -
> -  /* If the user has specified --no-check-cert, we still want to warn
> - him about problems with the server's certificate.  */
> -  const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
> -
> +  const char *severity = _("ERROR");
>struct openssl_transport_context *ctx = fd_transport_context (fd);
>SSL *conn = ctx->conn;
>assert (conn != NULL);
> 
> +  /* The user explicitly said to not check for the certificate.  */
> +  if (!opt.check_cert)
> +return success;
> +
>cert = SSL_get_peer_certificate (conn);
>if (!cert)
>  {
> @@ -885,8 +885,7 @@ ssl_check_certificate (int fd, const char *host)
>  To connect to %s insecurely, use 

Re: [Bug-wget] --no-check-cert does not avoid cert warning

[Ángel González]

On 30/11/15 22:33, Tim Rühsen wrote:

There is the situation where --no-check-cert is implicitly set (.wgetrc,
/etc/wgetrc, alias) and the user isn't aware of it. Just downloading without a
warning opens a huge security hole because you can't verify where you
downloaded it from (DNS attacks, MITM).
I leave it to your imagination what could happen to people in unsafe
countries... this warning could save lives.

For an expert like Karl, this is just annoying.

The warning text could be worked on, makeing clear that you are really leaving
secure ground, that cert checking has been explicitly turned off and how to
turn it on again. And only proceed if you really, really are aware of what you
are doing.

Of course all this applies to HTTP (plain text) as well. But someone
requesting HTTPS and than dropping the gained security should be warned by
default.

My thinking is a pessimistic approach, but as long as you can't be 100% sure
that bad things can't happend due to dropping the warning, we should leave it
(and improve it the best we can).

Tim


An alternative to make  --no-check-certificate silent would be to 
provide a parameter to explicitely silence it:

 --no-check-certificate=quiet

Re: [Bug-wget] --no-check-cert does not avoid cert warning

[Karl Berry]

I understand, though don't completely agree with, Tim's pessimistic
scenario.  In any case, my wish is that there be a way to get rid of the
warning message (other than being completely silent).  Whether it is
done via changing --no-check-cert or via some new/other option doesn't
matter to me.

I am using wget from a script, as surely many people do, and it is far
too annoying for every invocation of wget to give a useless warning
message.  At present, I'm using curl -sS instead :(.

On the other front, IMHO the text of the warning message is immaterial.
Either people will understand, or care enough to look it up and figure
out what's happening, or no text will be good enough.

thanks,
k

Re: [Bug-wget] --no-check-cert does not avoid cert warning

[Giuseppe Scrivano]

Hi Karl,


Karl Berry  writes:

> With wget 1.17 (at least),
>
> $ wget -nv --no-check-cert https://www.gnu.org -O /dev/null
> WARNING: cannot verify www.gnu.org's certificate, issued by 'CN=Gandi 
> Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR':
>   Unable to locally verify the issuer's authority.
>
> Maybe I'm crazy, but it seems like pointless noise to complain that a
> certificate cannot be verified when wget has been explicitly told not to
> check it.  Looking at the source, the only way I see to get rid of the
> warning is with --silent, which would also eliminate real errors.

the only difference with --no-check-cert is that wget will fail and exit
immediately when the certificate is not valid.  The idea behind
--no-check-cert was probably to not abort the execution of wget but
still inform the user about an invalid certificate, as the documentation
says:

  This option forces an ``insecure'' mode of
  operation that turns the certificate verification errors into warnings
  and allows you to proceed.

I am personally in favor of dropping the warning, as it is doing
something the user asked to not do.

Anybody has something against this patch?

Regards,
Giuseppe

diff --git a/doc/wget.texi b/doc/wget.texi
index c647e33..6aeda72 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1714,9 +1714,7 @@ handshake and aborting the download if the verification 
fails.
 Although this provides more secure downloads, it does break
 interoperability with some sites that worked with previous Wget
 versions, particularly those using self-signed, expired, or otherwise
-invalid certificates.  This option forces an ``insecure'' mode of
-operation that turns the certificate verification errors into warnings
-and allows you to proceed.
+invalid certificates.
 
 If you encounter ``certificate verification'' errors or ones saying
 that ``common name doesn't match requested host name'', you can use
diff --git a/src/gnutls.c b/src/gnutls.c
index d1444fe..b48e4e8 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -686,12 +686,13 @@ ssl_check_certificate (int fd, const char *host)
 
   unsigned int status;
   int err;
-
-  /* If the user has specified --no-check-cert, we still want to warn
- him about problems with the server's certificate.  */
-  const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
+  const char *severity = _("ERROR");
   bool success = true;
 
+  /* The user explicitly said to not check for the certificate.  */
+  if (!opt.check_cert)
+return success;
+
   err = gnutls_certificate_verify_peers2 (ctx->session, );
   if (err < 0)
 {
@@ -766,5 +767,5 @@ ssl_check_certificate (int fd, const char *host)
 }
 
  out:
-  return opt.check_cert ? success : true;
+  return success;
 }
diff --git a/src/openssl.c b/src/openssl.c
index 4876048..f5fe675 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -673,15 +673,15 @@ ssl_check_certificate (int fd, const char *host)
   long vresult;
   bool success = true;
   bool alt_name_checked = false;
-
-  /* If the user has specified --no-check-cert, we still want to warn
- him about problems with the server's certificate.  */
-  const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
-
+  const char *severity = _("ERROR");
   struct openssl_transport_context *ctx = fd_transport_context (fd);
   SSL *conn = ctx->conn;
   assert (conn != NULL);
 
+  /* The user explicitly said to not check for the certificate.  */
+  if (!opt.check_cert)
+return success;
+
   cert = SSL_get_peer_certificate (conn);
   if (!cert)
 {
@@ -885,8 +885,7 @@ ssl_check_certificate (int fd, const char *host)
 To connect to %s insecurely, use `--no-check-certificate'.\n"),
quotearg_style (escape_quoting_style, host));
 
-  /* Allow --no-check-cert to disable certificate checking. */
-  return opt.check_cert ? success : true;
+  return success;
 }
 
 /*