[Bug 1312127] [NEW] wget tries to get certificate from wrong server
psl
1312127 at bugs.launchpad.net
Thu Apr 24 11:36:34 UTC 2014
Public bug reported:
This report is for Ubuntu 12.04.4. I observe the problem with wget, git
and maybe other utilities. wget helped me to understand this problem. I
guess wget is not troublemaker, but there is a problem in somepart
related to DNS.
There is some problem (or change) with OpenDNS that I use and that
change has impact to SSL related services. Lets, try to download a
certificate with wget:
$ wget -d
https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x08ca17d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08ca1968
certificate:
subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08ca1968
Notice, that wget tries to download certificate from IPv6 address
::ffff:67.215.65.132; I don't have IPv6 connectivity...
Let's try to get DNS details about www.digicert.com, I use OpenDNS
server:
$ host -a www.digicert.com 208.67.222.222
Trying "www.digicert.com"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION:
www.digicert.com. 95 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132
Received 78 bytes from 208.67.222.222#53 in 62 ms
$ host -t A www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has no AAAA record
>From these examples, I assume that record 0 IN AAAA returned by OpenDNS
server is not valid and should be ignored. For some reason, wget (and
git) tries to use AAAA record to download certificate...
** Affects: wget (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
This report is for Ubuntu 12.04.4. I observe the problem with wget, git
and maybe other utilities. wget helped me to understand this problem. I
guess wget is not troublemaker, but there is a problem in somepart
related to DNS.
There is some problem (or change) with OpenDNS that I use and that
change has impact to SSL related services. Lets, try to download a
certificate with wget:
$ wget -d
https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x08ca17d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08ca1968
certificate:
- subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
- issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
+ subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
+ issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
- requested host name `www.digicert.com'.
+ requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08ca1968
Notice, that wget tries to download certificate from IPv6 address
::ffff:67.215.65.132; I don't have IPv6 connectivity...
Let's try to get DNS details about www.digicert.com, I use OpenDNS
server:
$ host -a www.digicert.com 208.67.222.222
Trying "www.digicert.com"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
- Aliases:
+ Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION:
www.digicert.com. 95 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132
Received 78 bytes from 208.67.222.222#53 in 62 ms
$ host -t A www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
- Aliases:
+ Aliases:
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
- Aliases:
+ Aliases:
www.digicert.com has no AAAA record
- From these examples, I assume that record 0 AAAA returned by OpenDNS
+ From these examples, I assume that record 0 IN AAAA returned by OpenDNS
server is not valid and should be ignored. For some reason, wget (and
git) tries to use AAAA record to download certificate...
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to wget in Ubuntu.
https://bugs.launchpad.net/bugs/1312127
Title:
wget tries to get certificate from wrong server
Status in “wget” package in Ubuntu:
New
Bug description:
This report is for Ubuntu 12.04.4. I observe the problem with wget,
git and maybe other utilities. wget helped me to understand this
problem. I guess wget is not troublemaker, but there is a problem in
somepart related to DNS.
There is some problem (or change) with OpenDNS that I use and that
change has impact to SSL related services. Lets, try to download a
certificate with wget:
$ wget -d
https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x08ca17d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08ca1968
certificate:
subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08ca1968
Notice, that wget tries to download certificate from IPv6 address
::ffff:67.215.65.132; I don't have IPv6 connectivity...
Let's try to get DNS details about www.digicert.com, I use OpenDNS
server:
$ host -a www.digicert.com 208.67.222.222
Trying "www.digicert.com"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION:
www.digicert.com. 95 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132
Received 78 bytes from 208.67.222.222#53 in 62 ms
$ host -t A www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has no AAAA record
From these examples, I assume that record 0 IN AAAA returned by
OpenDNS server is not valid and should be ignored. For some reason,
wget (and git) tries to use AAAA record to download certificate...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wget/+bug/1312127/+subscriptions
More information about the foundations-bugs
mailing list