bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Probs downloading secure content on Cygwin/Windows 7/64


From: Ander Juaristi
Subject: Re: [Bug-wget] Probs downloading secure content on Cygwin/Windows 7/64
Date: Mon, 31 Aug 2015 02:45:11 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

On 08/28/2015 08:30 PM, L Walsh wrote:

 wget
"https://get.adobe.com/flashplayer/download/?installer=FP_18_for_Firefox_-_NPAPI&os=Windows%207&browser_type=Gecko&browser_dist=Firefox&p=mss";

--2015-08-28 11:17:19--
https://get.adobe.com/flashplayer/download/?installer=FP_18_for_Firefox_-_NPAPI&os=Windows%207&browser_type=Gecko&browser_dist=Firefox&p=mss

Resolving webproxy (webproxy)... 192.168.4.1, 192.168.3.1
Connecting to webproxy (webproxy)|192.168.4.1|:8118... connected.
ERROR: The certificate of ‘get.adobe.com’ is not trusted.
ERROR: The certificate of ‘get.adobe.com’ hasn't got a known issuer.
-----
I went into my web browser (which doesn't seem to have an issue with the
cert), looked at the security for the page and exported the Security Cert chain
to a ".crt" file.
In windows, I could click on that to install the cert into Window's local
store and it was "imported successfully".

But it seems wget still doesn't know how to use the native
machines cert-store.


It works well on my Linux box, which is hardly surprising if you have a quick 
look at the GnuTLS code:

    const char *ca_directory;

    ...

    ca_directory = opt.ca_directory ? opt.ca_directory : "/etc/ssl/certs";

Looks like non-Unix-like operating systems were completely forgotten when such 
code was written.
And even if you're on something Unix-like, hard-coding the certificate store to "/etc/ssl/certs" seems to me far from being portable, but anyway.

However, if you look a couple of lines above, you can see:

    #if GNUTLS_VERSION_MAJOR >= 3
      if (!opt.ca_directory)
        ncerts = gnutls_certificate_set_x509_system_trust (credentials);
    #endif

Which basically tells GnuTLS to load the system's CA files on its own. This is what you want. But this only happens when your available GnuTLS library version is greater or equal than 3. If it's an older version, you're f***ed if your system does not have a readable "/etc/ssl/certs" directory with CAs in it.

Thus, given your symptoms, one of the following might happen:

1. The GnuTLS library version your Wget installation is linked against is lower than 3. Thus, since you haven't specified '--ca-directory' (see solution below) it's trying to locate the system CAs in "/etc/ssl/certs", which obviously does not exist on Windows. Or maybe yes (I've never used Cygwin so I don't know how its file system works) but for some reason Wget can't find CAs on it.

2. Your compiled GnuTLS library version is equal or greater than 3, but there's a bug on it that prevents it to find system CAs on Windows.

Now, in either case, it looks like the '--ca-directory' option (that maps to the 'ca_directory' variable in the code) painlessly overrides everything. So my suggestion is to do some research on where the system CAs are located on Windows, and pass that path to '--ca-directory':

    $ wget --ca-directory=C:\foo\certs ...

Let us know if that works :D

Shouldn't it be able to use the native host's cert store automatically,
or is there some extra magic words / switches I should have known to
use?

;-/

Ever since the cert checking was turned on in wget, the only way I've been
able to d/l secure stuff is to tell it to ignore the security, which seems
like it might be counter-productive.

Seems alot like the standard security problem of it making it so difficult
to use, that people simply create an alias to never check security -- which
can't be better than before when I wasn't taught to turn off security (not
that I usually do, but it seems like that's the direction I'm being "hurded"...
;-)

help?

version info:
law.Bliss> wget --version
GNU Wget 1.16.1 built on cygwin.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie -psl +ssl/gnutls

Wgetrc:
   /Users/law.Bliss/.wgetrc (user)
   /etc/wgetrc (system)
Locale:
   /usr/share/locale
Compile:
   gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
   -DLOCALEDIR="/usr/share/locale" -I.
   -I/usr/src/wget-1.16.1-1.x86_64/src/wget-1.16.1/src -I../lib
   -I/usr/src/wget-1.16.1-1.x86_64/src/wget-1.16.1/lib
   -I/usr/include/uuid -I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS
   -DNDEBUG -ggdb -O2 -pipe -Wimplicit-function-declaration
-fdebug-prefix-map=/usr/src/wget-1.16.1-1.x86_64/build=/usr/src/debug/wget-1.16.1-1
-fdebug-prefix-map=/usr/src/wget-1.16.1-1.x86_64/src/wget-1.16.1=/usr/src/debug/wget-1.16.1-1
Link:
   gcc -I/usr/include/uuid -I/usr/include/p11-kit-1 -DHAVE_LIBGNUTLS
   -DNDEBUG -ggdb -O2 -pipe -Wimplicit-function-declaration
-fdebug-prefix-map=/usr/src/wget-1.16.1-1.x86_64/build=/usr/src/debug/wget-1.16.1-1
-fdebug-prefix-map=/usr/src/wget-1.16.1-1.x86_64/src/wget-1.16.1=/usr/src/debug/wget-1.16.1-1
   -liconv -lintl -lpcre -luuid -lnettle -lgnutls -lz -lintl -liconv
   -lp11-kit -lgmp -lhogweed -lgmp -lnettle -ltasn1 -lp11-kit -lz -lz
   -lidn ftp-opie.o gnutls.o http-ntlm.o ../lib/libgnu.a

Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <address@hidden>.
Please send bug reports and questions to <address@hidden>.





Regards,
- AJ



reply via email to

[Prev in Thread] Current Thread [Next in Thread]