This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: wget does not recognize PKI?

From: Andrey Repin <anrdaemon at yandex dot ru>
To: Csaba Raduly <rcsaba at gmail dot com>, cygwin at cygwin dot com
Date: Mon, 6 Aug 2018 12:44:07 +0300
Subject: Re: wget does not recognize PKI?
References: <1964416456.20180805201253@yandex.ru> <bd0e6b94-9286-9e42-0efa-6ce8a9e2bd8d@gmail.com> <CAEhDDbCE6BN+Ok-NnAS9JhxXa6mC5NYqsyFUMhLS+jZuYoe9tw@mail.gmail.com>
Reply-to: cygwin at cygwin dot com

Greetings, Csaba Raduly!

> On Sun, Aug 5, 2018 at 7:36 PM, Marco Atzeri  wrote:
>> Am 05.08.2018 um 19:12 schrieb Andrey Repin:
>>>
>>> Greetings, All!
>>>
>>> $ wget https://ca.rootdir.org/ca.crl
>>> --2018-08-05 20:05:28--  https://ca.rootdir.org/ca.crl
>>> Resolving ca.rootdir.org (ca.rootdir.org)... 192.168.1.6
>>> Connecting to ca.rootdir.org (ca.rootdir.org)|192.168.1.6|:443...
>>> connected.
>>> ERROR: The certificate of ‘ca.rootdir.org’ is not trusted.
>>> ERROR: The certificate of ‘ca.rootdir.org’ hasn't got a known issuer.
>>>
>>
>>>
>>> What's going on?
>>>
>>
>> It seems not a cygwin issue:
>>
>> "This connection is not secure
>>
>> The owner of ca.rootdir.org did not properly configure the site. Firefox has
>> not affiliated with this site to protect your information from theft."
>>

As I said, the root CA certificate is properly installed.

> And not just Firefox :

> $ curl -v https://ca.rootdir.org/ca.crl

$ curl -v https://ca.rootdir.org/ca.crl
* STATE: INIT => CONNECT handle 0x600057ac0; line 1404 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x600057ac0; line 1440 (connection #0)
*   Trying 192.168.1.6...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x600057ac0; line 1521 (connection #0)
* Connected to ca.rootdir.org (192.168.1.6) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x600057ac0; line 1573 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x600057ac0; line 1587 (connection #0)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=RU; ST=RF; L=Moscow; CN=Rootdir CA webserver
*  start date: Nov 21 17:47:29 2017 GMT
*  expire date: Nov 22 17:47:29 2018 GMT
*  subjectAltName: host "ca.rootdir.org" matched cert's "ca.rootdir.org"
*  issuer: C=RU; L=Moscow; CN=Andrey Repin; emailAddress=anrdaemon@rootdir.org
*  SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x600057ac0; line 1608 (connection #0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x600057ac0)
> GET /ca.crl HTTP/2
> Host: ca.rootdir.org
> User-Agent: curl/7.59.0
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x600057ac0; line 1670 (connection #0)
* multi changed, check CONNECT_PEND queue!
* STATE: DO_DONE => WAITPERFORM handle 0x600057ac0; line 1795 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x600057ac0; line 1811 (connection #0)
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* multi changed, check CONNECT_PEND queue!
* HTTP/2 found, allow multiplexing
< HTTP/2 200
< server: nginx/1.14.0
< date: Mon, 06 Aug 2018 09:41:25 GMT
< content-type: application/octet-stream
< content-length: 872
< last-modified: Sun, 05 Aug 2018 16:51:59 GMT
< etag: "5b672b2f-368"
< accept-ranges: bytes
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 872)
* Kill stream: Transfer returned error
* multi_done
* Connection #0 to host ca.rootdir.org left intact
* Expire cleared

[23]anrdaemon@daemon2:xterm:~
$ "$( which curl )" --version
curl 7.59.0 (x86_64-unknown-cygwin) libcurl/7.59.0 OpenSSL/1.0.2o zlib/1.2.11 libidn2/2.0.4 libpsl/0.18.0 (+libidn2/2.0.2) libssh2/1.7.0 nghttp2/1.31.0
Release-Date: 2018-03-14
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS Debug IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink


-- 
With best regards,
Andrey Repin
Monday, August 6, 2018 12:41:08

Sorry for my terrible english...
--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

References:
- wget does not recognize PKI?
  - From: Andrey Repin
- Re: wget does not recognize PKI?
  - From: Marco Atzeri
- Re: wget does not recognize PKI?
  - From: Csaba Raduly

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]