Skip to content
New issue
Jump to bottom

wget .vs. curl #2856

Closed
donald opened this issue Feb 19, 2023 · 4 comments · Fixed by #2961
Closed

wget .vs. curl #2856

donald opened this issue Feb 19, 2023 · 4 comments · Fixed by #2961

Comments

@donald
Copy link
Collaborator

donald commented Feb 19, 2023 

buczek@theinternet:~/git/bee-files (add-conntrack)$ curl -o x.x  https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.7.tar.bz2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  527k  100  527k    0     0  1347k      0 --:--:-- --:--:-- --:--:-- 1347k

buczek@theinternet:~/git/bee-files (add-conntrack)$ wget https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.7.tar.bz2
--2023-02-19 15:51:30--  https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.7.tar.bz2
Resolving www.netfilter.org... 92.243.18.11, 2001:4b98:dc0:43:216:3eff:fe87:a456
Connecting to www.netfilter.org|92.243.18.11|:443... connected.
ERROR: The certificate of ‘www.netfilter.org’ is not trusted.
ERROR: The certificate of ‘www.netfilter.org’ doesn't have a known issuer.
@pmenzel
Copy link
Collaborator

pmenzel commented Feb 20, 2023

Wget uses GnuTLS, and that seems to have issues with that certificate:

$ wget --version
GNU Wget 1.20.3 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls 
+ntlm +opie -psl +ssl/gnutls
[…]
$ gnutls-cli www.netfilter.org
Processed 137 CA certificate(s).
Resolving 'www.netfilter.org:443'...
Connecting to '92.243.18.11:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04675191b85af1eea91388782cc5a2e1258c, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-01-06 22:33:05 UTC', expires `2023-04-06 22:33:04 UTC', pin-sha256="+uWS05Cq49ezAdUve1eMV+fAqtOqSVI1kPr0UM9mxGE="
	Public Key ID:
		sha1:138a74de0999cbecdbfda39e88f372307a2e4ee8
		sha256:fae592d390aae3d7b301d52f7b578c57e7c0aad3aa49523590faf450cf66c461
	Public Key PIN:
		pin-sha256:+uWS05Cq49ezAdUve1eMV+fAqtOqSVI1kPr0UM9mxGE=

- Certificate[1] info:
 - subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04675191b85af1eea91388782cc5a2e1258c, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-01-06 22:33:05 UTC', expires `2023-04-06 22:33:04 UTC', pin-sha256="+uWS05Cq49ezAdUve1eMV+fAqtOqSVI1kPr0UM9mxGE="
- Certificate[2] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

@pmenzel
Copy link
Collaborator

pmenzel commented Feb 20, 2023
edited
Loading

Updating the related packages did not help.

I documented it upstream.

@donald
Copy link
Collaborator Author

donald commented Feb 20, 2023

Thanks. However, I don't understand "documented it upstream" with a link to the gnutls 3.7.8 PR, which didn't fix the problem. Is it a known gnutls bug? Is it related to "Bleichenbacher oracle" whatever that is?

@pmenzel
Copy link
Collaborator

pmenzel commented Feb 20, 2023

Sorry, wrong URL. Correct one: https://gitlab.com/gnutls/gnutls/-/issues/1455

(I edit my comment.)

niclas added a commit that referenced this issue Aug 24, 2023
@niclas
GnuTLS: Update from 3.7.9 to 3.7.10
bd389d8 
This fixes #2856.

```
inbetweenmove> wget https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.7.tar.bz2
--2023-08-24 15:40:04--  https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.7.tar.bz2
Resolving www.netfilter.org... 92.243.18.11, 2001:4b98:dc0:43:216:3eff:fe87:a456
Connecting to www.netfilter.org|92.243.18.11|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 539688 (527K) [application/x-bzip2]
Saving to: ‘conntrack-tools-1.4.7.tar.bz2’

conntrack-tools-1.4.7.tar.bz2         100%[=======================================================================>] 527.04K  2.51MB/s    in 0.2s

2023-08-24 15:40:04 (2.51 MB/s) - ‘conntrack-tools-1.4.7.tar.bz2’ saved [539688/539688]
```
@niclas niclas mentioned this issue Aug 24, 2023
Merged
Sign in to join this conversation on GitHub.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

GnuTLS: Update from 3.7.9 to 3.7.10 mariux64/bee-files
2 participants
@donald @pmenzel