apt-cyg
apt-cyg copied to clipboard
kou1okada
make wget upgrade-self use no-check-certificate
In a system that needs no-check-certificate, calling wget without it creates a copy of the file that's empty/useless.
So, this makes the default fallback not check certificates.
Why does your system need no-check-certificate? Almost systems do not need it. You must not decrease the whole security level by resolving a special case, I think.
I'll look into it tomorrow morning when I get to that work location.
At my main work location, wget calls within cygwin always give an error about not being able to verify certificates and at the location I'm at now, everything works fine with a default installation.
And AFAIK, the networks here are set up the same (I believe the same IT folks set up both schools but I'm not sure).
On Mon, Dec 9, 2019 at 4:21 PM kou1okada [email protected] wrote:
Why do your system need no-check-certificate? Almost system does not need it. You must not decrease the whole security level by resolving a special case, I think.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kou1okada/apt-cyg/pull/60?email_source=notifications&email_token=AC5TL7I6BIPC44JFHBHDS3TQXXWWDA5CNFSM4JYC6Q72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGIDMRY#issuecomment-563099207, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC5TL7MBVIGM4XWTYVGNEN3QXXWWDANCNFSM4JYC6Q7Q .
Does your environment install ca-certificates package correctly?
It provides CA certifications and it is also required from wget.
$ apt-cyg rdepends ca-certificates | grep ^wget
wget 1 3 3
$ apt-cyg depends wget | grep ^ca-certificates
ca-certificates 1 3 3
So, if you install wget, it will be installed automatically.
If it is not installed correctly, apt-cyg dist-upgrade may solve the problem.
I think following suggestions will help people who have similar situations for you.
- Catch a failing
wgetand abort task. - Provide an option to use
--no-check-certificate.
But, ignoring the certification for whole environment is a bad idea.
ca-certificates is installed. But I receive: ERROR: The certificate of ‘raw.githubusercontent.com’ is not trusted. ERROR: The certificate of ‘raw.githubusercontent.com’ hasn't got a known issuer.
On Tue, Dec 10, 2019 at 12:07 PM kou1okada [email protected] wrote:
Does your environment install ca-certificates package correctly? It provides CA certifications and it is also required from wget.
$ apt-cyg rdepends ca-certificates | grep ^wget wget 1 3 3 $ apt-cyg depends wget | grep ^ca-certificates ca-certificates 1 3 3
So, if you install wget, it will be installed automatically. If it is not installed correctly, apt-cyg dist-upgrade may solve the problem.
I think following suggestions will help people who have similar situations for you.
- Catch a failing wget and abort task.
- Provide an option to use --no-check-certificate.
But, ignoring the certification for whole environment is a bad idea.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kou1okada/apt-cyg/pull/60?email_source=notifications&email_token=AC5TL7PZAC43JXLKFRUJ7EDQX4BVLA5CNFSM4JYC6Q72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGMMINA#issuecomment-563659828, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC5TL7LQ5AWR5IJUF7KXCFDQX4BVLANCNFSM4JYC6Q7Q .
Shouldn't you doubt the security risks with MITM (man in the middle ) attack?
You must check with openssl as below:
$ echo|openssl s_client -connect raw.githubusercontent.com:443
CONNECTED(00000004)
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHqDCCBpCgAwIBAgIQCDqEWS938ueVG/iHzt7JZjANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNzAzMjMwMDAwMDBaFw0yMDA1MTMxMjAwMDBa
MGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xFzAVBgNVBAMTDnd3
dy5naXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtPx
ijvPpEXyy3Bn10WfoWmKTW753Uv2PusDNmalx/7mqFqi5BqK4xWQHQgSpyhedgtW
IXWCJGHtgFVck+DBAbHiHsE67ewpV1a2l2GpqNCFTU77UsoNVD/xPyx3k+cPX9y8
rqjMiZB3xs1zKDYBkcoBVrA+iO323YkJmCLEXCO2O7b1twLFWkNwMd7e7nteu2uC
MvxNp5Qg22MIn33t2egMPfIDU/TcKDfyaty5+s6F3gzh7eIgnqNQN0T/5fpaYkqd
x8j21QDsIyF/CfSpA5qKLuhluu8xrUbnc0MigX7VThS9PbfxMSQ1cQQfbGdxoQNJ
TNHxXv+ZTXAxKCju5wIDAQABo4IEQjCCBD4wHwYDVR0jBBgwFoAUUWj/kK8CB3U8
zNllZGKiErhZcjswHQYDVR0OBBYEFDCCKdhtTODUosYQSAWAh6i8qukSMHsGA1Ud
EQR0MHKCDnd3dy5naXRodWIuY29tggwqLmdpdGh1Yi5jb22CCmdpdGh1Yi5jb22C
CyouZ2l0aHViLmlvgglnaXRodWIuaW+CFyouZ2l0aHVidXNlcmNvbnRlbnQuY29t
ghVnaXRodWJ1c2VyY29udGVudC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5odHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMDSgMqAwhi5o
dHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzUuY3JsMEwG
A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3MHUwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZB
aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1
cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAfUGCisGAQQB1nkCBAIE
ggHlBIIB4QHfAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFa
/UBqBAAABAMARzBFAiBFXsWaC1bup8Q0JgrY9EgIxjqi1v2fA6Zg44iRXSQyywIh
AIzhzU1zlseJh5+yXc5U1I+pgqRmXb1XcPIsGL8oOdwjAHUAVhQGmi/XwuzT9eG9
RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFa/UBqZQAABAMARjBEAiBKQMsySmj69oKZ
MeC+MDokLrrVN2tK+OMlzf1T5qgHtgIgRJLNGvfWDmMpCK/iWPSmMsYK2yYyTl9K
btHBtP5WpkcAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVr9
QGofAAAEAwBHMEUCIA2n0TbeAa5KbuOpnXpJbnObwckpOsHsaN+2rA7ZA16YAiEA
l7JTnVPdmFcauzwLjgNESMRFtn4Brzm9XJTPJbaWPacAdgC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAVr9QGoRAAAEAwBHMEUCIQCqrtuq71J6TM7w
KMWeSAROdTa8f35GoLMImJXONSNHfQIgONvSu/VH5jlZ1+PD+b6ThFF1+pV7wp7w
q+/8xiHUMlswDQYJKoZIhvcNAQELBQADggEBAJl+1i/OG6YV9RWz7/EwwR9UEJKk
jEPAvL2lDQBT4kLBhW/lp6lBmUtGEVrd/egnaZe2PKYOKjDbM1O+g7CqCIkEfmY1
5VyzLCh/p7HlJ3ltgSaJ6qBVUXAQy+tDWWuqUrRG/dL/iRaKRdoOv4cNU++DJMUX
rRJjQHSATb2kyd102d8cYQIKcbCTJC8tqSB6Q4ZEEViKRZvXXOJm66bG8Xyn3N2v
J4k598Gamch/NHrZOXODy3N1vBawTqFJLQkSjU4+Y//wiHHfUEYrpTg92zgIlylk
3svH64hwWd1i3BZ2LTBq46MvQKU2D8wFdtXgbgRAPWohX79Oo6hs0Jghub0=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3833 bytes and written 430 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 8837E1F890B3153AD729B29D632BB165F8F3D21953FF5FE1C18A8256BD660B80
Session-ID-ctx:
Master-Key: 2E182D7F449EA6934AF5A9AE0BCEB0849810DD6AC597392958B77A4AFD83F663D0A8DCA65143126E99B1C69061B27748
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 66 8a e6 2a 60 53 00 d8-8b 4b 1b db b8 2e 89 b1 f..*`S...K......
0010 - f2 b7 1d 1b dc 61 05 2f-44 a5 13 47 54 19 94 5f .....a./D..GT.._
0020 - 85 9d 3f cb 63 05 4f 86-01 5e 98 80 66 ab c3 d4 ..?.c.O..^..f...
0030 - 71 f8 4c f6 ba bd 05 ca-40 e4 e7 11 25 b3 06 3f q.L.....@...%..?
0040 - ff fa b0 15 fc e5 dd 4d-a3 53 47 60 62 f8 0d 7f .......M.SG`b...
0050 - 1c 9a 9c 62 66 41 9b fb-95 90 65 a1 c3 d4 e4 e5 ...bfA....e.....
0060 - c5 99 02 f5 e7 81 65 89-ad 7d f8 6a 37 1b 40 59 ......e..}.j7.@Y
0070 - 3f ac cc 0d 47 6f e4 f7-5b 80 bd be b0 4b b7 d1 ?...Go..[....K..
0080 - 4f 95 a2 64 9a 3e b1 93-81 a3 bc 83 59 b1 b2 86 O..d.>......Y...
0090 - 2e ba 1f 58 4a 39 cc a3-1a 88 71 d5 ae b8 ce cf ...XJ9....q.....
00a0 - 25 27 e5 3b 04 d5 9a 11-00 b2 8c b2 5f 26 2b 12 %'.;........_&+.
00b0 - 33 a8 83 18 e8 11 ce ab-ad b8 b8 bb ce 6f 11 68 3............o.h
Start Time: 1576213322
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
and
$ echo|openssl s_client -connect raw.githubusercontent.com:443 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:3a:84:59:2f:77:f2:e7:95:1b:f8:87:ce:de:c9:66
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Validity
Not Before: Mar 23 00:00:00 2017 GMT
Not After : May 13 12:00:00 2020 GMT
Subject: C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = www.github.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c6:d3:f1:8a:3b:cf:a4:45:f2:cb:70:67:d7:45:
9f:a1:69:8a:4d:6e:f9:dd:4b:f6:3e:eb:03:36:66:
a5:c7:fe:e6:a8:5a:a2:e4:1a:8a:e3:15:90:1d:08:
12:a7:28:5e:76:0b:56:21:75:82:24:61:ed:80:55:
5c:93:e0:c1:01:b1:e2:1e:c1:3a:ed:ec:29:57:56:
b6:97:61:a9:a8:d0:85:4d:4e:fb:52:ca:0d:54:3f:
f1:3f:2c:77:93:e7:0f:5f:dc:bc:ae:a8:cc:89:90:
77:c6:cd:73:28:36:01:91:ca:01:56:b0:3e:88:ed:
f6:dd:89:09:98:22:c4:5c:23:b6:3b:b6:f5:b7:02:
c5:5a:43:70:31:de:de:ee:7b:5e:bb:6b:82:32:fc:
4d:a7:94:20:db:63:08:9f:7d:ed:d9:e8:0c:3d:f2:
03:53:f4:dc:28:37:f2:6a:dc:b9:fa:ce:85:de:0c:
e1:ed:e2:20:9e:a3:50:37:44:ff:e5:fa:5a:62:4a:
9d:c7:c8:f6:d5:00:ec:23:21:7f:09:f4:a9:03:9a:
8a:2e:e8:65:ba:ef:31:ad:46:e7:73:43:22:81:7e:
d5:4e:14:bd:3d:b7:f1:31:24:35:71:04:1f:6c:67:
71:a1:03:49:4c:d1:f1:5e:ff:99:4d:70:31:28:28:
ee:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Subject Key Identifier:
30:82:29:D8:6D:4C:E0:D4:A2:C6:10:48:05:80:87:A8:BC:AA:E9:12
X509v3 Subject Alternative Name:
DNS:www.github.com, DNS:*.github.com, DNS:github.com, DNS:*.github.io, DNS:github.io, DNS:*.githubusercontent.com, DNS:githubusercontent.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/sha2-ha-server-g5.crl
Full Name:
URI:http://crl4.digicert.com/sha2-ha-server-g5.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Mar 23 22:19:01.508 2017 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:45:5E:C5:9A:0B:56:EE:A7:C4:34:26:0A:
D8:F4:48:08:C6:3A:A2:D6:FD:9F:03:A6:60:E3:88:91:
5D:24:32:CB:02:21:00:8C:E1:CD:4D:73:96:C7:89:87:
9F:B2:5D:CE:54:D4:8F:A9:82:A4:66:5D:BD:57:70:F2:
2C:18:BF:28:39:DC:23
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7:
46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD
Timestamp : Mar 23 22:19:01.605 2017 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:4A:40:CB:32:4A:68:FA:F6:82:99:31:E0:
BE:30:3A:24:2E:BA:D5:37:6B:4A:F8:E3:25:CD:FD:53:
E6:A8:07:B6:02:20:44:92:CD:1A:F7:D6:0E:63:29:08:
AF:E2:58:F4:A6:32:C6:0A:DB:26:32:4E:5F:4A:6E:D1:
C1:B4:FE:56:A6:47
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
Timestamp : Mar 23 22:19:01.535 2017 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:0D:A7:D1:36:DE:01:AE:4A:6E:E3:A9:9D:
7A:49:6E:73:9B:C1:C9:29:3A:C1:EC:68:DF:B6:AC:0E:
D9:03:5E:98:02:21:00:97:B2:53:9D:53:DD:98:57:1A:
BB:3C:0B:8E:03:44:48:C4:45:B6:7E:01:AF:39:BD:5C:
94:CF:25:B6:96:3D:A7
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
Timestamp : Mar 23 22:19:01.521 2017 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:AA:AE:DB:AA:EF:52:7A:4C:CE:F0:28:
C5:9E:48:04:4E:75:36:BC:7F:7E:46:A0:B3:08:98:95:
CE:35:23:47:7D:02:20:38:DB:D2:BB:F5:47:E6:39:59:
D7:E3:C3:F9:BE:93:84:51:75:FA:95:7B:C2:9E:F0:AB:
EF:FC:C6:21:D4:32:5B
Signature Algorithm: sha256WithRSAEncryption
99:7e:d6:2f:ce:1b:a6:15:f5:15:b3:ef:f1:30:c1:1f:54:10:
92:a4:8c:43:c0:bc:bd:a5:0d:00:53:e2:42:c1:85:6f:e5:a7:
a9:41:99:4b:46:11:5a:dd:fd:e8:27:69:97:b6:3c:a6:0e:2a:
30:db:33:53:be:83:b0:aa:08:89:04:7e:66:35:e5:5c:b3:2c:
28:7f:a7:b1:e5:27:79:6d:81:26:89:ea:a0:55:51:70:10:cb:
eb:43:59:6b:aa:52:b4:46:fd:d2:ff:89:16:8a:45:da:0e:bf:
87:0d:53:ef:83:24:c5:17:ad:12:63:40:74:80:4d:bd:a4:c9:
dd:74:d9:df:1c:61:02:0a:71:b0:93:24:2f:2d:a9:20:7a:43:
86:44:11:58:8a:45:9b:d7:5c:e2:66:eb:a6:c6:f1:7c:a7:dc:
dd:af:27:89:39:f7:c1:9a:99:c8:7f:34:7a:d9:39:73:83:cb:
73:75:bc:16:b0:4e:a1:49:2d:09:12:8d:4e:3e:63:ff:f0:88:
71:df:50:46:2b:a5:38:3d:db:38:08:97:29:64:de:cb:c7:eb:
88:70:59:dd:62:dc:16:76:2d:30:6a:e3:a3:2f:40:a5:36:0f:
cc:05:76:d5:e0:6e:04:40:3d:6a:21:5f:bf:4e:a3:a8:6c:d0:
98:21:b9:bd