[Bug 1605883] [NEW] wget uses system CA certificates even when told not to

Nate Eldredge 1605883 at bugs.launchpad.net
Sat Jul 23 15:22:20 UTC 2016 

Public bug reported:

In the wget man page, the command line options --ca-certificate and
--ca-directory have the sentence: "Without this option Wget looks for CA
certificates at the system-specified locations, chosen at OpenSSL
installation time."  To me, that implies that *with* these options, the
system-specified locations are *not* searched.  (That would be useful if
the sysadmin has installed certificates that the user doesn't trust.)
However, it appears that even with these options, the system SSL
directory /usr/lib/ssl/certs (symlink to /etc/ssl/certs) is still
searched.

Running

wget --ca-certificate=/dev/null --ca-directory=/nonexistent
https://www.google.com

succeeds.  I would expect it to fail, having no trusted CA certificate.
strace reveals that it reads a certificate from /usr/lib/ssl/certs.

Either the code should be fixed, or the man page should be clarified.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: wget 1.17.1-1ubuntu1.1
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
Date: Sat Jul 23 09:12:02 2016
SourcePackage: wget
UpgradeStatus: Upgraded to xenial on 2016-05-27 (57 days ago)

** Affects: wget (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1605883

Title:
  wget uses system CA certificates even when told not to

Status in wget package in Ubuntu:
  New

Bug description:
  In the wget man page, the command line options --ca-certificate and
  --ca-directory have the sentence: "Without this option Wget looks for
  CA certificates at the system-specified locations, chosen at OpenSSL
  installation time."  To me, that implies that *with* these options,
  the system-specified locations are *not* searched.  (That would be
  useful if the sysadmin has installed certificates that the user
  doesn't trust.)  However, it appears that even with these options, the
  system SSL directory /usr/lib/ssl/certs (symlink to /etc/ssl/certs) is
  still searched.

  Running

  wget --ca-certificate=/dev/null --ca-directory=/nonexistent
  https://www.google.com

  succeeds.  I would expect it to fail, having no trusted CA
  certificate.  strace reveals that it reads a certificate from
  /usr/lib/ssl/certs.

  Either the code should be fixed, or the man page should be clarified.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: wget 1.17.1-1ubuntu1.1
  ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
  Uname: Linux 4.4.0-31-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  Date: Sat Jul 23 09:12:02 2016
  SourcePackage: wget
  UpgradeStatus: Upgraded to xenial on 2016-05-27 (57 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1605883/+subscriptions

More information about the foundations-bugs mailing list