wget certificate verification concerns

Scott Court z5t1 at z5t1.com
Sat Jun 27 13:58:07 UTC 2020


Regarding the patch I submitted yesterday, I apologize I was
inadvertently on the wrong branch and I see now that this issue has
already been addressed on master and in the 1.32 unstable release in
commit 45fa3f1. I have been looking at the changes introduced in that
commit, and I have a few concerns:

 1. OpenSSL's s_client doesn't appear to exit with an error if just the
    `-verify_return_error` flag is used. I've tested this on BusyBox
    1.32 with OpenSSL 1.0.2u and LibreSSL 3.1.3 and am still able to
    `wget https://expired.badssl.com` without getting an error. To cause
    s_client to abort with an error, it is necessary to also use the
    `-verify 100` flag. Further reading on this is available at
    https://www.vdoo.com/ja/blog/busybox-wget-case.
 2. Even with the `-verify 100 -verify_return_error` flags, OpenSSL does
    not verify that the certificate is valid for the requested hostname.
    For hostname verification to work, it is necessary to use
    `-verify_hostname <hostname>` for hostname based requests or
    `-verify-ip` for IP address based requests.
 3. The `-verify_return_error` flag gets added in argv[7]. If the end
    user uses wget on an IP address rather than a hostname, argv[5] and
    argv[6] will remain set to null, causing execvp not to pass any
    arguments after argv[4] to s_client and resulting in no check being
    performed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20200627/5107efc6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20200627/5107efc6/attachment.asc>


More information about the busybox mailing list