[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] wget seems to be "out of touch" with security (fails on m

From: Daniel Kahn Gillmor
Subject: Re: [Bug-wget] wget seems to be "out of touch" with security (fails on most (all?) https websites...(where browsers work)
Date: Fri, 20 Dec 2013 17:55:40 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.1.1

On 12/20/2013 05:12 PM, L Walsh wrote:
> Daniel Kahn Gillmor wrote:
>>  openssl s_client -connect collaboration.opengroup.org:443
> openssl s_client -connect collaboration.opengroup.org:443
> CONNECTED(00000003)
> depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2
> Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0

>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> -----
> I'm not well versed in reading certs, but is the problem that
> godaddy's cert looks 'self-signed'?

Nope, we expect the certificate for a root CA to be self-signed.
Godaddy's cert there is a root CA's cert.

the error report there is that the opengroup server is needlessly
including the root CA's cert in their list of certs.  the only things
servers need to send are:

 0) their end-entity ("EE")cert (the cert that belongs to the server itself)
 1) the cert of the intermediate CA that signed the EE cert, if any
 2) the cert of the intermediate CA that signed the first intermediate
CA cert, if any, etc...

and so on, up to, but not including the root CA's cert.  Why isn't the
root CA's cert necessary?  because:

 A) if the client already has the root CA's cert, there is no need to
transmit it

 B) alternately, if the client does not already have the root CA's cert,
then it has no reason to trust the root CA's cert, so why bother
transmitting it?

You probably can find a copy of godaddy's root cert in your filesystem
(e.g. in the ca-certificates package in debian, there is

tell openssl s_client that this is an acceptable root authority (e.g.
via the -CAfile option), and it should connect fine:

 openssl s_client \
  -CAfile /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt  \
  -connect collaboration.opengroup.org:443b

for wget, the comparable option is --ca-certificate.



Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]