I have a site rigged for testing at <https://gordhsome.fecyk.ca/testing/> and am trying to get command line web clients like wget working on it. They're failing miserably, even after interactive clients like Netscape 6, Opera 6 and IE 5 succeed. It's imperative to a project I'm working on that a command line HTTP fetcher works with client side certificates.
I'm using a homebrewed certificate authority and certs generated from OpenSSL 0.9.6b. The server in question is the Win2K Pro version of IIS5 (patched to the hilt as of 26 FEB 2002). The certificates are available for testing at <http://www.fecyk.ca/testuser.zip>. The command line was like this on 1.7.1: wget --sslcertfile=testuser.crt --sslcertkey=testuser.key https://gordshome.fecyk.ca/testing/ ...and like this on 1.8.1: wget --sslcertfile=testuser.pem https://gordshome.fecyk.ca/testing/ ...the latter will prompt you for a PEM password. Both do the same thing - retry multiple times and fail. My server has log entries such as the following: 2002-02-28 22:48:35 205.200.194.211 GORDSHOME\testuser GET /testing/ - 500 10053 408 118 HTTP/1.0 gordshome.fecyk.ca Wget/1.7.1-pre1 The 10053 is a Winsock WSAECONNABORTED error. cURL does something similar with a "53 empty response from server" error. So far I've only seen this problem with wget 1.7.1 on Win32, wget 1.8.1 on some *ix (I forget - that was tested by a third party and I forgot to ask him what OS he ran) and with cURL 7.9.3 under Win32 and MacOS X. Seeing that I thought it might've been a problem with OpenSSL - the only commonality between the two. Then I tried OpenSSL's s_client test: openssl s_client -cert testuser.crt -key testuser.key -connect gordshome.fecyk.ca:443 -prexit ...that first failed because OpenSSL didn't recognize the CA cert that signed testuser.crt (Verify return code: 21 (unable to verify the first certificate)). Then I added the CA cert: openssl s_client -CAfile fecyk.ca.crt -cert testuser.crt -key testuser.key -connect gordshome.fecyk.ca:443 -prexit ...after this I hand-crafted a HTTP 1.1 request to fetch /testing/ and it succeeded. This leads me to believe OpenSSL is working correctly. I'm wondering if wget is failing because it's seeing the OpenSSL verify code above and doesn't know about the new CA cert. https:// in general seems to work OK because it can fetch https://www.microsoft.com/ and other things. Does wget need the CA certificate? If so, how do I make it recognize the CA cert? Could there be some common way to make both wget and cURL work by having OpenSSL see the new CA cert? -- PGP key (0x1B5FDCEE): <http://www.orca.bc.ca/win95/GordonFecyk.asc> Confidential and privileged e-mail needs PGP. <http://www.pgpi.org/> GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
