Erwann ABALEA <erwann.aba...@keynectis.com> writes: > Hodie VII Id. Aug. MMXI, Kamil Jońca scripsit: >> I have weird problem with some sites using ssl. >> Mozilla _can_ validate certificate but wget can't, and I don't know if >> it is a debian bug or openssl. >> Whole story begins at >> http://lists.debian.org/debian-user/2011/06/msg00089.html > > The certificate chain sent by the website is this: > > 0. > s:/1.3.6.1.4.1.311.60.2.1.3=PL/2.5.4.15=Private > Organization/serialNumber=0000008723/C=PL/postalCode=50-950/ST=Dolnoslaskie/L=Wroclaw/streetAddress=ul. > Rynek 9/11/O=Bank Zachodni WBK S.A./OU=Obszar Operacji > Bankowych/CN=www.centrum24.pl > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation > SSL SGC CA > issuer hash bae2cbd8/ac12bd91 > > 1. > s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation > SSL SGC CA > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, > Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary > Certification Authority - G5 > subject hash bae2cbd8/ac12bd91 > issuer hash facacbc6/b204d74a > > 2. > s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, > Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary > Certification Authority - G5 > i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority > subject hash facacbc6/b204d74a > issuer hash 7651b327/415660c1 > > Your wget binary wants to validate the certificate sent in position 2, > which is signed by a previous VeriSign Root CA. So it looks for a file > or link named 415660c1.0 in the /usr/lib/ssl/certs/ directory, and > can't find it. Are you sure it doesn't look for a file or link named > b204d74a.0 in the same directory, after that? Normally, it should try > to validate the position 1 certificate with its certificate store.
According to strace: --8<---------------cut here---------------start------------->8--- strace -o ~/tmp/wget.log wget -v -x 'https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl' --2011-08-08 00:51:06-- https://www.centrum24.pl/bzwbkonline/eSmart.html?typ=90&lang=pl Resolving www.centrum24.pl... 195.20.110.130 Connecting to www.centrum24.pl|195.20.110.130|:443... connected. ERROR: cannot verify www.centrum24.pl's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA': Unable to locally verify the issuer's authority. To connect to www.centrum24.pl insecurely, use `--no-check-certificate'. --8<---------------cut here---------------end--------------->8--- --8<---------------cut here---------------start------------->8--- grep open ~/tmp/wget.log open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/libssl.so.1.0.0", O_RDONLY) = 3 open("/usr/lib/libcrypto.so.1.0.0", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/librt.so.1", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY) = 3 open("/usr/lib/libz.so.1", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY) = 3 open("/usr/lib/locale/locale-archive", O_RDONLY) = 3 open("/etc/wgetrc", O_RDONLY) = 3 open("/home/kjonca/.wgetrc", O_RDONLY) = 3 open("/etc/localtime", O_RDONLY) = 3 open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3 open("/usr/share/locale/locale.alias", O_RDONLY) = 3 open("/usr/share/locale/en_GB/LC_MESSAGES/libc.mo", O_RDONLY) = 3 open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3 open("/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory) open("/home/kjonca/.netrc", O_RDONLY) = 3 open("/usr/share/locale/en_GB/LC_MESSAGES/wget.mo", O_RDONLY) = 3 open("/etc/nsswitch.conf", O_RDONLY) = 3 open("/etc/host.conf", O_RDONLY) = 3 open("/etc/resolv.conf", O_RDONLY) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY) = 3 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libnss_mdns4_minimal.so.2", O_RDONLY) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/libnss_dns.so.2", O_RDONLY) = 3 open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY) = 3 open("/etc/resolv.conf", O_RDONLY) = 3 open("/usr/share/locale/en/LC_MESSAGES/wget.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib/ssl/certs/415660c1.0", O_RDONLY) = 4 open("/usr/lib/ssl/certs/415660c1.1", O_RDONLY) = 4 --8<---------------cut here---------------end--------------->8--- KJ -- http://blogdebart.pl/2010/03/17/dalsze-przygody-swinki-w-new-jersey/ Nie przerywaj mi, kiedy ja przerywam --W.Churchill ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
