[go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make wget upgrade-self use no-check-certificate #60

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

cslycord
Copy link
@cslycord cslycord commented Dec 9, 2019

In a system that needs no-check-certificate, calling wget without it creates a copy of the file that's empty/useless.

So, this makes the default fallback not check certificates.

@kou1okada
Copy link
Owner
kou1okada commented Dec 9, 2019

Why does your system need no-check-certificate?
Almost systems do not need it.
You must not decrease the whole security level by resolving a special case, I think.

@cslycord
Copy link
Author
cslycord commented Dec 9, 2019 via email

@kou1okada
Copy link
Owner

Does your environment install ca-certificates package correctly?
It provides CA certifications and it is also required from wget.

$ apt-cyg rdepends ca-certificates | grep ^wget
wget                                     1      3       3
$ apt-cyg depends wget | grep ^ca-certificates
ca-certificates                          1      3       3

So, if you install wget, it will be installed automatically.
If it is not installed correctly, apt-cyg dist-upgrade may solve the problem.

I think following suggestions will help people who have similar situations for you.

  • Catch a failing wget and abort task.
  • Provide an option to use --no-check-certificate.

But, ignoring the certification for whole environment is a bad idea.

@cslycord
Copy link
Author
cslycord commented Dec 12, 2019 via email

@kou1okada
Copy link
Owner
kou1okada commented Dec 13, 2019

Shouldn't you doubt the security risks with MITM (man in the middle ) attack?
You must check with openssl as below:

$ echo|openssl s_client -connect raw.githubusercontent.com:443
CONNECTED(00000004)
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHqDCCBpCgAwIBAgIQCDqEWS938ueVG/iHzt7JZjANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNzAzMjMwMDAwMDBaFw0yMDA1MTMxMjAwMDBa
MGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xFzAVBgNVBAMTDnd3
dy5naXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtPx
ijvPpEXyy3Bn10WfoWmKTW753Uv2PusDNmalx/7mqFqi5BqK4xWQHQgSpyhedgtW
IXWCJGHtgFVck+DBAbHiHsE67ewpV1a2l2GpqNCFTU77UsoNVD/xPyx3k+cPX9y8
rqjMiZB3xs1zKDYBkcoBVrA+iO323YkJmCLEXCO2O7b1twLFWkNwMd7e7nteu2uC
MvxNp5Qg22MIn33t2egMPfIDU/TcKDfyaty5+s6F3gzh7eIgnqNQN0T/5fpaYkqd
x8j21QDsIyF/CfSpA5qKLuhluu8xrUbnc0MigX7VThS9PbfxMSQ1cQQfbGdxoQNJ
TNHxXv+ZTXAxKCju5wIDAQABo4IEQjCCBD4wHwYDVR0jBBgwFoAUUWj/kK8CB3U8
zNllZGKiErhZcjswHQYDVR0OBBYEFDCCKdhtTODUosYQSAWAh6i8qukSMHsGA1Ud
EQR0MHKCDnd3dy5naXRodWIuY29tggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb22C
CyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHVidXNlcmNvbnRlbnQuY29t
ghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMDSgMqAwhi5o
dHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwG
A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZB
aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1
cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAfUGCisGAQQB1nkCBAIE
ggHlBIIB4QHfAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFa
/UBqBAAABAMARzBFAiBFXsWaC1bup8Q0JgrY9EgIxjqi1v2fA6Zg44iRXSQyywIh
AIzhzU1zlseJh5+yXc5U1I+pgqRmXb1XcPIsGL8oOdwjAHUAVhQGmi/XwuzT9eG9
RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFa/UBqZQAABAMARjBEAiBKQMsySmj69oKZ
MeC+MDokLrrVN2tK+OMlzf1T5qgHtgIgRJLNGvfWDmMpCK/iWPSmMsYK2yYyTl9K
btHBtP5WpkcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVr9
QGofAAAEAwBHMEUCIA2n0TbeAa5KbuOpnXpJbnObwckpOsHsaN+2rA7ZA16YAiEA
l7JTnVPdmFcauzwLjgNESMRFtn4Brzm9XJTPJbaWPacAdgC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAVr9QGoRAAAEAwBHMEUCIQCqrtuq71J6TM7w
KMWeSAROdTa8f35GoLMImJXONSNHfQIgONvSu/VH5jlZ1+PD+b6ThFF1+pV7wp7w
q+/8xiHUMlswDQYJKoZIhvcNAQELBQADggEBAJl+1i/OG6YV9RWz7/EwwR9UEJKk
jEPAvL2lDQBT4kLBhW/lp6lBmUtGEVrd/egnaZe2PKYOKjDbM1O+g7CqCIkEfmY1
5VyzLCh/p7HlJ3ltgSaJ6qBVUXAQy+tDWWuqUrRG/dL/iRaKRdoOv4cNU++DJMUX
rRJjQHSATb2kyd102d8cYQIKcbCTJC8tqSB6Q4ZEEViKRZvXXOJm66bG8Xyn3N2v
J4k598Gamch/NHrZOXODy3N1vBawTqFJLQkSjU4+Y//wiHHfUEYrpTg92zgIlylk
3svH64hwWd1i3BZ2LTBq46MvQKU2D8wFdtXgbgRAPWohX79Oo6hs0Jghub0=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3833 bytes and written 430 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 8837E1F890B3153AD729B29D632BB165F8F3D21953FF5FE1C18A8256BD660B80
    Session-ID-ctx: 
    Master-Key: 2E182D7F449EA6934AF5A9AE0BCEB0849810DD6AC597392958B77A4AFD83F663D0A8DCA65143126E99B1C69061B27748
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 66 8a e6 2a 60 53 00 d8-8b 4b 1b db b8 2e 89 b1   f..*`S...K......
    0010 - f2 b7 1d 1b dc 61 05 2f-44 a5 13 47 54 19 94 5f   .....a./D..GT.._
    0020 - 85 9d 3f cb 63 05 4f 86-01 5e 98 80 66 ab c3 d4   ..?.c.O..^..f...
    0030 - 71 f8 4c f6 ba bd 05 ca-40 e4 e7 11 25 b3 06 3f   q.L.....@...%..?
    0040 - ff fa b0 15 fc e5 dd 4d-a3 53 47 60 62 f8 0d 7f   .......M.SG`b...
    0050 - 1c 9a 9c 62 66 41 9b fb-95 90 65 a1 c3 d4 e4 e5   ...bfA....e.....
    0060 - c5 99 02 f5 e7 81 65 89-ad 7d f8 6a 37 1b 40 59   ......e..}.j7.@Y
    0070 - 3f ac cc 0d 47 6f e4 f7-5b 80 bd be b0 4b b7 d1   ?...Go..[....K..
    0080 - 4f 95 a2 64 9a 3e b1 93-81 a3 bc 83 59 b1 b2 86   O..d.>......Y...
    0090 - 2e ba 1f 58 4a 39 cc a3-1a 88 71 d5 ae b8 ce cf   ...XJ9....q.....
    00a0 - 25 27 e5 3b 04 d5 9a 11-00 b2 8c b2 5f 26 2b 12   %'.;........_&+.
    00b0 - 33 a8 83 18 e8 11 ce ab-ad b8 b8 bb ce 6f 11 68   3............o.h

    Start Time: 1576213322
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

and

$ echo|openssl s_client -connect raw.githubusercontent.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:3a:84:59:2f:77:f2:e7:95:1b:f8:87:ce:de:c9:66
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
        Validity
            Not Before: Mar 23 00:00:00 2017 GMT
            Not After : May 13 12:00:00 2020 GMT
        Subject: C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c6:d3:f1:8a:3b:cf:a4:45:f2:cb:70:67:d7:45:
                    9f:a1:69:8a:4d:6e:f9:dd:4b:f6:3e:eb:03:36:66:
                    a5:c7:fe:e6:a8:5a:a2:e4:1a:8a:e3:15:90:1d:08:
                    12:a7:28:5e:76:0b:56:21:75:82:24:61:ed:80:55:
                    5c:93:e0:c1:01:b1:e2:1e:c1:3a:ed:ec:29:57:56:
                    b6:97:61:a9:a8:d0:85:4d:4e:fb:52:ca:0d:54:3f:
                    f1:3f:2c:77:93:e7:0f:5f:dc:bc:ae:a8:cc:89:90:
                    77:c6:cd:73:28:36:01:91:ca:01:56:b0:3e:88:ed:
                    f6:dd:89:09:98:22:c4:5c:23:b6:3b:b6:f5:b7:02:
                    c5:5a:43:70:31:de:de:ee:7b:5e:bb:6b:82:32:fc:
                    4d:a7:94:20:db:63:08:9f:7d:ed:d9:e8:0c:3d:f2:
                    03:53:f4:dc:28:37:f2:6a:dc:b9:fa:ce:85:de:0c:
                    e1:ed:e2:20:9e:a3:50:37:44:ff:e5:fa:5a:62:4a:
                    9d:c7:c8:f6:d5:00:ec:23:21:7f:09:f4:a9:03:9a:
                    8a:2e:e8:65:ba:ef:31:ad:46:e7:73:43:22:81:7e:
                    d5:4e:14:bd:3d:b7:f1:31:24:35:71:04:1f:6c:67:
                    71:a1:03:49:4c:d1:f1:5e:ff:99:4d:70:31:28:28:
                    ee:e7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B

            X509v3 Subject Key Identifier: 
                30:82:29:D8:6D:4C:E0:D4:A2:C6:10:48:05:80:87:A8:BC:AA:E9:12
            X509v3 Subject Alternative Name: 
                DNS:www.github.com, DNS:*.github.com, DNS:github.com, DNS:*.github.io, DNS:github.io, DNS:*.githubusercontent.com, DNS:githubusercontent.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/sha2-ha-server-g5.crl

                Full Name:
                  URI:http://crl4.digicert.com/sha2-ha-server-g5.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS
                Policy: 2.23.140.1.2.2

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
                    Timestamp : Mar 23 22:19:01.508 2017 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:45:5E:C5:9A:0B:56:EE:A7:C4:34:26:0A:
                                D8:F4:48:08:C6:3A:A2:D6:FD:9F:03:A6:60:E3:88:91:
                                5D:24:32:CB:02:21:00:8C:E1:CD:4D:73:96:C7:89:87:
                                9F:B2:5D:CE:54:D4:8F:A9:82:A4:66:5D:BD:57:70:F2:
                                2C:18:BF:28:39:DC:23
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7:
                                46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD
                    Timestamp : Mar 23 22:19:01.605 2017 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:4A:40:CB:32:4A:68:FA:F6:82:99:31:E0:
                                BE:30:3A:24:2E:BA:D5:37:6B:4A:F8:E3:25:CD:FD:53:
                                E6:A8:07:B6:02:20:44:92:CD:1A:F7:D6:0E:63:29:08:
                                AF:E2:58:F4:A6:32:C6:0A:DB:26:32:4E:5F:4A:6E:D1:
                                C1:B4:FE:56:A6:47
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
                                A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
                    Timestamp : Mar 23 22:19:01.535 2017 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:0D:A7:D1:36:DE:01:AE:4A:6E:E3:A9:9D:
                                7A:49:6E:73:9B:C1:C9:29:3A:C1:EC:68:DF:B6:AC:0E:
                                D9:03:5E:98:02:21:00:97:B2:53:9D:53:DD:98:57:1A:
                                BB:3C:0B:8E:03:44:48:C4:45:B6:7E:01:AF:39:BD:5C:
                                94:CF:25:B6:96:3D:A7
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
                                38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
                    Timestamp : Mar 23 22:19:01.521 2017 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:AA:AE:DB:AA:EF:52:7A:4C:CE:F0:28:
                                C5:9E:48:04:4E:75:36:BC:7F:7E:46:A0:B3:08:98:95:
                                CE:35:23:47:7D:02:20:38:DB:D2:BB:F5:47:E6:39:59:
                                D7:E3:C3:F9:BE:93:84:51:75:FA:95:7B:C2:9E:F0:AB:
                                EF:FC:C6:21:D4:32:5B
    Signature Algorithm: sha256WithRSAEncryption
         99:7e:d6:2f:ce:1b:a6:15:f5:15:b3:ef:f1:30:c1:1f:54:10:
         92:a4:8c:43:c0:bc:bd:a5:0d:00:53:e2:42:c1:85:6f:e5:a7:
         a9:41:99:4b:46:11:5a:dd:fd:e8:27:69:97:b6:3c:a6:0e:2a:
         30:db:33:53:be:83:b0:aa:08:89:04:7e:66:35:e5:5c:b3:2c:
         28:7f:a7:b1:e5:27:79:6d:81:26:89:ea:a0:55:51:70:10:cb:
         eb:43:59:6b:aa:52:b4:46:fd:d2:ff:89:16:8a:45:da:0e:bf:
         87:0d:53:ef:83:24:c5:17:ad:12:63:40:74:80:4d:bd:a4:c9:
         dd:74:d9:df:1c:61:02:0a:71:b0:93:24:2f:2d:a9:20:7a:43:
         86:44:11:58:8a:45:9b:d7:5c:e2:66:eb:a6:c6:f1:7c:a7:dc:
         dd:af:27:89:39:f7:c1:9a:99:c8:7f:34:7a:d9:39:73:83:cb:
         73:75:bc:16:b0:4e:a1:49:2d:09:12:8d:4e:3e:63:ff:f0:88:
         71:df:50:46:2b:a5:38:3d:db:38:08:97:29:64:de:cb:c7:eb:
         88:70:59:dd:62:dc:16:76:2d:30:6a:e3:a3:2f:40:a5:36:0f:
         cc:05:76:d5:e0:6e:04:40:3d:6a:21:5f:bf:4e:a3:a8:6c:d0:
         98:21:b9:bd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants