wget tries to get certificate from wrong server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wget (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
This report is for Ubuntu 12.04.4. I observe the problem with wget, git and maybe other utilities. wget helped me to understand this problem. I guess wget is not troublemaker, but there is a problem in somepart related to DNS.
There is some problem (or change) with OpenDNS that I use and that change has impact to SSL related services. Lets, try to download a certificate with wget:
$ wget -d https:/
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 13:26:04-- https:/
Resolving www.digicert.com (www.digicert.
Caching www.digicert.com => ::ffff:
Connecting to www.digicert.com (www.digicert.
Created socket 3.
Releasing 0x08ca17d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08ca1968
certificate:
subject: /C=US/ST=
issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-
Closed 3/SSL 0x08ca1968
Notice, that wget tries to download certificate from IPv6 address ::ffff:
Let's try to get DNS details about www.digicert.com, I use OpenDNS server:
$ host -a www.digicert.com 208.67.222.222
Trying "www.digicert.com"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION:
www.digicert.com. 95 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:
Received 78 bytes from 208.67.222.222#53 in 62 ms
$ host -t A www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has no AAAA record
From these examples, I assume that record 0 IN AAAA returned by OpenDNS server is not valid and should be ignored. For some reason, wget (and git) tries to use AAAA record to download certificate...
Ubuntu 14.04 works better. Under similar conditions, AAAA record is ignored and wget downloads certificate from correct server:
$ wget -d https:/ /www.digicert. com/CACerts/ DigiCertSHA2Ext endedValidation ServerCA. crt
DEBUG output created by Wget 1.15 on linux-gnu.
URI encoding = ‘UTF-8’ /www.digicert. com/CACerts/ DigiCertSHA2Ext endedValidation ServerCA. crt com)... 64.78.193.234 com)|64. 78.193. 234|:443. .. connected. ry=Private Organization/ 1.3.6.1. 4.1.311. 60.2.1. 3=US/1. 3.6.1.4. 1.311.60. 2.1.2=Utah/ serialNumber= 5299537- 0142/street= Suite 500/street=2600 West Executive Parkway/ postalCode= 84043/C= US/ST=Utah/ L=Lehi/ O=DigiCert, Inc./CN= www.digicert. com www.digicert. com/CN= DigiCert SHA2 Extended Validation Server CA
--2014-04-24 13:54:34-- https:/
Resolving www.digicert.com (www.digicert.
Caching www.digicert.com => 64.78.193.234
Connecting to www.digicert.com (www.digicert.
Created socket 3.
Releasing 0x00000000006ff3f0 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00000000006ff670
certificate:
subject: /businessCatego
issuer: /C=US/O=DigiCert Inc/OU=
X509 certificate successfully verified and matches host www.digicert.com
---request begin--- DigiCertSHA2Ext endedValidation ServerCA. crt HTTP/1.1
GET /CACerts/
User-Agent: Wget/1.15 (linux-gnu)
Accept: */*
Host: www.digicert.com
Connection: Keep-Alive
...
$ host -a www.digicert.com
Trying "www.digicert.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14219
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION: 67.215. 65.132
www.digicert.com. 299 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:
Received 78 bytes from 127.0.1.1#53 in 27 ms
$ host -t A www.digicert.com
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com
www.digicert.com has no AAAA record