Just a wild theory, but wget is not checking for revoked certificates.
How did I come to this conclusion – and how did I try to verify that?
First some infos about versions – which may be rather important on that topic.
wget --version GNU Wget 1.15 built on linux-gnu. openssl version OpenSSL 1.0.1f 6 Jan 2014
Check about the current certificate, like mine here at https://www.höllrigl.at -> you’ll see a certificate from „StartCom Class 1 Primary Intermediate Server CA“ CA and a CRL at http://crl.startssl.com/crt1-crl.crl
So I’m checking about where to find the CRL and get a nice list
# dig crl.startssl.com +short www.startssl.com.edgesuite.net. a1603.g1.akamai.net. 92.122.206.27 92.122.206.10
So let’s see if we find some traffic that goes there – first I tried a ping:
# tcpdump -i eth0 host crl.startssl.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:34:23.967704 IP 192.168.3.1 > a92-122-206-10.deploy.akamaitechnologies.com: ICMP echo request, id 18687, seq 1, length 64 21:34:24.016819 IP a92-122-206-10.deploy.akamaitechnologies.com > 192.168.3.1: ICMP echo reply, id 18687, seq 1, length 64
Next thing, fetch that URL with wget
# wget https://www.höllrigl.at --2015-11-30 21:35:46-- https://www.xn--hllrigl-90a.at/ Resolving www.höllrigl.at (www.xn--hllrigl-90a.at)... 193.239.248.170, 2a04:5540:1:41::10 Connecting to www.höllrigl.at (www.xn--hllrigl-90a.at)|193.239.248.170|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.2’ [ <=> ] 29,620 --.-K/s in 0.05s 2015-11-30 21:35:48 (594 KB/s) - ‘index.html.2’ saved [29620]
Now I’d like to show to you the dumped packages in tcpdump – but there are none.
Other strong indicators are, that there only started to be a ‚–crl-file=file‘ option to wget starting with 1.16, which allows you to check your certificate against a locally stored CRL file.
Schreibe einen Kommentar