[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | New option --dane (!522)
|
From: |
John Scott (@j0hns) |
|
Subject: |
Re: wget2 | New option --dane (!522) |
|
Date: |
Sat, 15 Apr 2023 18:49:20 +0000 |
John Scott commented:
You're incredible! Unfortunately, I'm having a hard time getting DANE to work
on its own. I'm testing it like this:
```
$ bin/wget2_noinstall --ca-certificate /dev/null --ca-directory=/tmp --dane -d
https://debian.org
15.144605.683 name=ca-certificate value=/dev/null invert=0
15.144605.683 name=ca-directory value=/tmp invert=0
15.144605.683 name=dane value=-d invert=0
15.144605.683 Local URI encoding = 'UTF-8'
15.144605.683 Input URI encoding = 'UTF-8'
15.144605.684 Fetched HSTS data from '/home/john/.local/share/wget/.wget-hsts'
15.144605.684 Fetched HPKP data from '/home/john/.local/share/wget/.wget-hpkp'
15.144605.684 Fetched OCSP hosts from
'/home/john/.local/share/wget/.wget-ocsp_hosts'
15.144605.684 add OCSP cert
1bc5a61a2c0c0132c52b284f3da0d8dacf717a0f6c1ddf81d80b36eee4442869
(maxage=1681587756,valid=1)
15.144605.684 Fetched OCSP fingerprints from
'/home/john/.local/share/wget/.wget-ocsp'
15.144605.684 *url =
15.144605.684 *3 https://debian.org
15.144605.684 local filename = 'index.html'
15.144605.684 host_add_job: job fname index.html
15.144605.684 host_add_job: 0x557a5ae04360 https://debian.org
15.144605.684 host_add_job: qsize 1 host-qsize=1
15.144605.684 queue_size: qsize=1
15.144605.685 queue_size: qsize=1
15.144605.685 queue_size: qsize=1
15.144605.685 queue_size: [Files: 0 Bytes: 0 [0 B/s] Redirects: 0 Todo: 1
Errors: 0 ]
15.144605.685 [0] action=1 pending=0 host=0x0
15.144605.685 dequeue job https://debian.org
15.144605.685 resolving debian.org:443...
15.144605.800 has 2603:400a:ffff:bb8::801f:3e:443
15.144605.800 has 2001:67c:2564:a119::77:443
15.144605.800 has 2001:4f8:1:c::15:443
15.144605.800 has 130.89.148.77:443
15.144605.800 has 128.31.0.62:443
15.144605.800 has 149.20.4.15:443
No CAs were found in '/dev/null'
15.144605.803 Certificates loaded: 0
15.144605.803 GnuTLS init done
ERROR: The certificate is NOT trusted. The certificate issuer is unknown.
15.144605.925 gnutls_handshake: (-43) Error in the certificate. (errno=11)
15.144605.926 closing connection
15.144605.926 host_final_failure: qsize=0
15.144605.926 set_exit_status(5)
15.144605.926 host_increase_failure: debian.org failures=1
15.144605.926 [0] action=3 pending=1 host=0x557a5ae042e0
15.144605.926 released job https://debian.org
15.144605.926 [0] action=1 pending=0 host=0x0
15.144605.926 host debian.org is blocked (qsize=1)
15.144605.926 main: wake up
15.144605.926 main: done
15.144605.926 queue_size: [Files: 0 Bytes: 0 [0 B/s] Redirects: 0 Todo: 0
Errors: 0 ]
15.144605.926 Successfully updated
'/home/john/.local/share/wget/.wget-ocsp_hosts'.
15.144605.926 Saved OCSP hosts to
'/home/john/.local/share/wget/.wget-ocsp_hosts'
15.144605.926 Successfully updated '/home/john/.local/share/wget/.wget-ocsp'.
15.144605.926 Saved OCSP fingerprints to
'/home/john/.local/share/wget/.wget-ocsp'
15.144605.926 blacklist https://debian.org
```
When I allow the normal CA certs to be used in addition to DANE, then it works
fine. But the whole point of DANE is that DANE provides authenticity on its own
and we shouldn't need those. I'm running a validating DNS resolver on my system
and use DANE and DNSSEC with other applications without problem.
Thank you so much for taking this up!
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/merge_requests/522#note_1354101004
You're receiving this email because of your account on gitlab.com.
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23