wget isn’t checking CRLs?

Written by  on Dezember 1, 2015 

Just a wild theory, but wget is not checking for revoked certificates.
How did I come to this conclusion – and how did I try to verify that?

First some infos about versions – which may be rather important on that topic.

wget --version
GNU Wget 1.15 built on linux-gnu.
openssl version
OpenSSL 1.0.1f 6 Jan 2014

Check about the current certificate, like mine here at https://www.höllrigl.at -> you’ll see a certificate from „StartCom Class 1 Primary Intermediate Server CA“ CA and a CRL at http://crl.startssl.com/crt1-crl.crl

So I’m checking about where to find the CRL and get a nice list

# dig crl.startssl.com +short
www.startssl.com.edgesuite.net.
a1603.g1.akamai.net.
92.122.206.27
92.122.206.10

So let’s see if we find some traffic that goes there – first I tried a ping:

# tcpdump -i eth0 host crl.startssl.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:34:23.967704 IP 192.168.3.1 > a92-122-206-10.deploy.akamaitechnologies.com: ICMP echo request, id 18687, seq 1, length 64
21:34:24.016819 IP a92-122-206-10.deploy.akamaitechnologies.com > 192.168.3.1: ICMP echo reply, id 18687, seq 1, length 64

Next thing, fetch that URL with wget

# wget https://www.höllrigl.at
--2015-11-30 21:35:46--  https://www.xn--hllrigl-90a.at/
Resolving www.höllrigl.at (www.xn--hllrigl-90a.at)... 193.239.248.170, 2a04:5540:1:41::10
Connecting to www.höllrigl.at (www.xn--hllrigl-90a.at)|193.239.248.170|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.2’

    [ <=>                                                                                                                                                                                             ] 29,620      --.-K/s   in 0.05s

2015-11-30 21:35:48 (594 KB/s) - ‘index.html.2’ saved [29620]

Now I’d like to show to you the dumped packages in tcpdump – but there are none.
Other strong indicators are, that there only started to be a ‚–crl-file=file‘ option to wget starting with 1.16, which allows you to check your certificate against a locally stored CRL file.

Category : Allgemein

Tags :

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.