[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] --no-check-cert does not avoid cert warning
From: |
Giuseppe Scrivano |
Subject: |
Re: [Bug-wget] --no-check-cert does not avoid cert warning |
Date: |
Mon, 30 Nov 2015 15:27:08 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Hi Karl,
Karl Berry <address@hidden> writes:
> With wget 1.17 (at least),
>
> $ wget -nv --no-check-cert https://www.gnu.org -O /dev/null
> WARNING: cannot verify www.gnu.org's certificate, issued by 'CN=Gandi
> Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR':
> Unable to locally verify the issuer's authority.
>
> Maybe I'm crazy, but it seems like pointless noise to complain that a
> certificate cannot be verified when wget has been explicitly told not to
> check it. Looking at the source, the only way I see to get rid of the
> warning is with --silent, which would also eliminate real errors.
the only difference with --no-check-cert is that wget will fail and exit
immediately when the certificate is not valid. The idea behind
--no-check-cert was probably to not abort the execution of wget but
still inform the user about an invalid certificate, as the documentation
says:
This option forces an ``insecure'' mode of
operation that turns the certificate verification errors into warnings
and allows you to proceed.
I am personally in favor of dropping the warning, as it is doing
something the user asked to not do.
Anybody has something against this patch?
Regards,
Giuseppe
diff --git a/doc/wget.texi b/doc/wget.texi
index c647e33..6aeda72 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1714,9 +1714,7 @@ handshake and aborting the download if the verification
fails.
Although this provides more secure downloads, it does break
interoperability with some sites that worked with previous Wget
versions, particularly those using self-signed, expired, or otherwise
-invalid certificates. This option forces an ``insecure'' mode of
-operation that turns the certificate verification errors into warnings
-and allows you to proceed.
+invalid certificates.
If you encounter ``certificate verification'' errors or ones saying
that ``common name doesn't match requested host name'', you can use
diff --git a/src/gnutls.c b/src/gnutls.c
index d1444fe..b48e4e8 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -686,12 +686,13 @@ ssl_check_certificate (int fd, const char *host)
unsigned int status;
int err;
-
- /* If the user has specified --no-check-cert, we still want to warn
- him about problems with the server's certificate. */
- const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
+ const char *severity = _("ERROR");
bool success = true;
+ /* The user explicitly said to not check for the certificate. */
+ if (!opt.check_cert)
+ return success;
+
err = gnutls_certificate_verify_peers2 (ctx->session, &status);
if (err < 0)
{
@@ -766,5 +767,5 @@ ssl_check_certificate (int fd, const char *host)
}
out:
- return opt.check_cert ? success : true;
+ return success;
}
diff --git a/src/openssl.c b/src/openssl.c
index 4876048..f5fe675 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -673,15 +673,15 @@ ssl_check_certificate (int fd, const char *host)
long vresult;
bool success = true;
bool alt_name_checked = false;
-
- /* If the user has specified --no-check-cert, we still want to warn
- him about problems with the server's certificate. */
- const char *severity = opt.check_cert ? _("ERROR") : _("WARNING");
-
+ const char *severity = _("ERROR");
struct openssl_transport_context *ctx = fd_transport_context (fd);
SSL *conn = ctx->conn;
assert (conn != NULL);
+ /* The user explicitly said to not check for the certificate. */
+ if (!opt.check_cert)
+ return success;
+
cert = SSL_get_peer_certificate (conn);
if (!cert)
{
@@ -885,8 +885,7 @@ ssl_check_certificate (int fd, const char *host)
To connect to %s insecurely, use `--no-check-certificate'.\n"),
quotearg_style (escape_quoting_style, host));
- /* Allow --no-check-cert to disable certificate checking. */
- return opt.check_cert ? success : true;
+ return success;
}
/*