* CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
* This allows https downloads to succeed without any CA certificates or validation
* This allows MITM attacks
$ wget https://untrusted-root.badssl.com/
--2020-05-19 18:00:38-- https://untrusted-root.badssl.com/
Resolving untrusted-root.badssl.com (untrusted-root.badssl.com)... 104.154.89.105
Connecting to untrusted-root.badssl.com (untrusted-root.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify untrusted-root.badssl.com's certificate, issued by ‘CN=BadSSL Untrusted Root Certificate Authority,O=BadSSL,L=San Francisco,ST=California,C=US’:
Self-signed certificate encountered.
To connect to untrusted-root.badssl.com insecurely, use `--no-check-certificate'.
* Observed: download success
$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_return_error` to s_client, unless `--no-check-certificate` is specified
[Impact]
* CONFIG_ FEATURE_ WGET_OPENSSL= y enables https support in wget busybox applet return_ error` option, meaning any verification errors are ignored
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_
* This allows https downloads to succeed without any CA certificates or validation
* This allows MITM attacks
[Test Case]
* Preparation: sudo apt install busybox
* Test case: /bin/busybox wget https:/ /untrusted- root.badssl. com/
* Expected: download failed, like with GNU wget
$ wget https:/ /untrusted- root.badssl. com/ /untrusted- root.badssl. com/ root.badssl. com (untrusted- root.badssl. com)... 104.154.89.105 root.badssl. com (untrusted- root.badssl. com)|104. 154.89. 105|:443. .. connected. root.badssl. com's certificate, issued by ‘CN=BadSSL Untrusted Root Certificate Authority, O=BadSSL, L=San Francisco, ST=California, C=US’: root.badssl. com insecurely, use `--no-check- certificate' .
--2020-05-19 18:00:38-- https:/
Resolving untrusted-
Connecting to untrusted-
ERROR: cannot verify untrusted-
Self-signed certificate encountered.
To connect to untrusted-
* Observed: download success
$ /bin/busybox wget https:/ /untrusted- root.badssl. com/ root.badssl. com (104.154. 89.105: 443) ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* ******* **| 600 0:00:00 ETA
Connecting to untrusted-
index.html 100% |******
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check- certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_ return_ error` to s_client, unless `--no-check- certificate` is specified