Wget non può connettersi in modo sicuro a web.archive: si è verificato un certificato autofirmato [chiuso]

Question

Wget non può connettersi in modo sicuro a web.archive: si è verificato un certificato autofirmato [chiuso]

#1 da (1 voti)

-2

Volevo ottenere alcuni file dal collegamento con wget, ma è stato generato un errore di certificato autofirmato. Sto collegando il mio telefono direttamente alla rete mobile, quindi dubito che ci sia un attacco MITM in corso. Tuttavia, non so davvero come procedere. C'è un modo per fidarsi di questo certificato in modo sicuro?

wget https://web.archive.org/web/2000/https://mirrors.kernel.org/gentoo/distfiles/arial32.exe

--2018-09-29 12:41:17--  https://web.archive.org/web/2000/https://mirrors.kernel.org/gentoo/distfiles/arial32.exe Resolving web.archive.org (web.archive.org)... 207.241.225.186 Connecting to web.archive.org (web.archive.org)|207.241.225.186|:443... connected. ERROR: cannot verify web.archive.org's certificate, issued by ‘CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US’:   Self-signed certificate encountered. To connect to web.archive.org insecurely, use '--no-check-certificate'.

Sto usando OpenSSL v1.1.1 (18 settembre di quest'anno) ed ecco l'output di openssl s_client -showcerts -connect web.archive.org:443 :

depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify error:num=19:self signed certificate in certificate chain
--- Certificate chain  0 s:OU = Domain Control Validated, CN = *.archive.org    i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE----- MIIFLTCCBBWgAwIBAgIJAPPFDRFMIbH8MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE2MTIxOTIwNTkwMVoX DTIwMDIyMTIyNTYwOFowOzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh dGVkMRYwFAYDVQQDDA0qLmFyY2hpdmUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA0royrSANiuUFNP+TrzSDRRHjlYctU/IU2aSv4axKhujg+wic 0GYux/niopuo093YOD7xZ4lsadv6Nrsrc2boX6LfwGK/FDVD4zs8KNN2XQmToSLb Yc+2imJv4EMjTy4osZ/FMZ6/saS3o7il6GRZAb8Y27I3tMNCWGV5c4UWrXxuxCWr sHyEfai+s2iM2Tpn7bi8cRpoyAX+XFNy/9W6/OLaCwhmIjTHuXZtxJuYXg7saNaL 6F9UCu9Rj4mpk2Cs7hpFBqROGcY4NVnv0U0izQH+USaexxv76G1GhgHctSMaY1qc GwhqNku3WOq8+LRJxlH1XrDKVTY83yoWJE7hqwIDAQABo4IBuDCCAbQwDAYDVR0T AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/ BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20v Z2RpZzJzMS0zNjcuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3Bggr BgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0 b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRw Oi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZp Y2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgw FoAUQMK9J47MNIMwojPX+2yz8LQsgM4wJQYDVR0RBB4wHIINKi5hcmNoaXZlLm9y Z4ILYXJjaGl2ZS5vcmcwHQYDVR0OBBYEFKgLo/M+BeZKoqDsbel0UB6XiJTcMA0G CSqGSIb3DQEBCwUAA4IBAQAQcNS9qY9muyGGun7NlcRtoREto+sOL2e0Kttac7sA 9ptyRVja9dVGBMD7whODLRzCuTHLo7wkVQ7jXmgCWHLHGlHDMWrLioWaw3gVQfzc JE3PTgz09svcAI/87/6rUgtE5bPFPNRkqQKk4BbS7iDCxpjALyGQ1hgnV2WnwONk vne45Y7xWx4WOhr2hzK8LhlfaqIy662Q1QRuDh0sRZyxalCAlg42OVV4vxm+lTEr f6CMNncNfPtZjSkB1oqKcM2BrCMINipfrrEUdsj3rJd116T6sCt+yK3OBFL5S7sI Aho7A5W6t8u3zw3bJX6I5ntmKSdgI+c6+joKNN5SnUgn
-----END CERTIFICATE-----  1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2    i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE----- MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3 MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv 9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz 91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----  2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2    i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE----- MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1 dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/ 3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+ 6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9 MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq 9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3 qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm rw==
-----END CERTIFICATE-----  3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority    i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3 MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+ YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h /t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5 IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
--- Server certificate subject=OU = Domain Control Validated, CN = *.archive.org

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

--- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits
--- SSL handshake has read 5445 bytes and written 443 bytes Verification error: self signed certificate in certificate chain
--- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: B306B4F039744DD648EE3F8450EF381562A4D631457E0F40B93CCB50E3EF6045
    Session-ID-ctx: 
    Master-Key: B1DDCCA514588A7FD5F7D37B09ECF563589CF3BA02C9BFDC44597A110BC3295C8BE4C79ECE0C1D9B945D66E9539FA6F4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - f2 a0 43 c4 4d 3f b3 7c-85 16 57 82 10 6d 76 e4   ..C.M?.|..W..mv.
    0010 - 64 e1 d0 f7 38 de 01 65-e5 d5 a8 f0 12 01 e5 76   d...8..e.......v
    0020 - 31 cb 74 9a a7 06 0e f6-5e f8 c0 27 4c 11 3d bf   1.t.....^..'L.=.
    0030 - fb e3 e6 21 f7 b2 20 93-df df 9e 80 43 29 1b f2   ...!.. .....C)..
    0040 - 97 43 af 14 8a f8 53 4b-53 8d 21 df cd be 3b d6   .C....SKS.!...;.
    0050 - aa 02 8e 1f f1 ea 5a e5-b8 8f 7b df e4 ba df 9a   ......Z...{.....
    0060 - 81 de 15 00 f5 f8 72 5e-81 52 da ce 9e cb 5f dc   ......r^.R...._.
    0070 - dc f6 a8 e3 de d5 f1 33-84 57 de f4 f7 59 24 c5   .......3.W...Y$.
    0080 - 09 8b 3a 56 9c a4 9d 3a-1b fc f4 48 1e b1 d1 e6   ..:V...:...H....
    0090 - ad cb 77 e2 08 4a 25 01-51 5f 09 da 3c 5e 96 94   ..w..J%.Q_..<^..
    00a0 - 9b e4 c1 71 28 b6 a0 e5-6b 15 df 98 6d 9b 17 79   ...q(...k...m..y
    00b0 - 4f 24 c1 94 21 6a 32 ab-bb cd 6e 29 3e 69 44 46   O$..!j2...n)>iDF

    Start Time: 1538199534
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: no
---

openssl certificates

posta bluppfisk 29.09.2018 - 07:42

fonte

1 risposta

Leggi altre domande sui tag openssl certificates

Quali tipi di file potrebbero essere vulnerabili all'iniezione SQL? [chiuso] Alternative test di sicurezza su MacOS [chiuso]

score 1 · Answer 1

Se ritieni che il certificato che viene presentato sia valido (anche se la radice non è nelle tue Autorità di radice fidate), puoi ignorare wget e forzarlo ad accettare quel certificato per una determinata richiesta aggiungendo --no-check-certificate alla riga di comando. Per citare la pagina man di wget :

‘--no-check-certificate’

Don’t check the server certificate against the available certificate authorities. Also don’t require the URL host name to match the common name presented by the certificate.

As of Wget 1.10, the default is to verify the server’s certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an “insecure” mode of operation that turns the certificate verification errors into warnings and allows you to proceed.

If you encounter “certificate verification” errors or ones saying that “common name doesn’t match requested host name”, you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site’s authenticity, or if you really don’t care about the validity of its certificate.

In base ai commenti aggiunti alla tua domanda, sembra che stavi utilizzando una build OpenSSL recente installata a mano quando avevi successo con OpenSSL. Wget utilizza l'archivio delle autorità attendibili del sistema, che su un host Linux si trova spesso in / etc / ssl o / etc / pki e corrisponde a qualsiasi installazione di sistema di OpenSSL che si sta utilizzando. In questo caso, puoi aggiungere la radice attendibile all'archivio delle autorità attendibili di sistema o puoi semplicemente indicare a wget di utilizzare una specifica radice attendibile per questa connessione :

‘--ca-certificate=file’

Use file as the file with the bundle of certificate authorities (“CA”) to verify the peers. The certificates must be in PEM format.

Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

Questo è meglio che semplicemente non controllare il certificato, anche se è un po 'più di lavoro.