If (opt.check_cert = CHECK_CERT_ON & !success) Quotearg_style (escape_quoting_style, host))) This may be an indication that the host is not who it claims to be\n\ĭEBUGP (("X509 certificate successfully verified and matches host %s\n", %s: certificate common name is invalid (contains a NUL character).\n\ If (strlen (common_name) != (size_t) ASN1_STRING_length (sdata)) Sdata = X509_NAME_ENTRY_get_data(xentry) J = X509_NAME_get_index_by_NID (xname, NID_commonName, i) * differs from common_name's length, then there is a \0
* We now determine the length of the ASN1 string. Severity, quote_n (0, common_name), quote_n (1, host)) %s: certificate common name %s doesn't match requested host name %s.\n"), X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, X509_NAME *xname = X509_get_subject_name(cert) _("%s: no certificate subject alternative name matches\n" If (alt_name_checked = true & i >= numaltnames) Sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free) ĪSN1_OCTET_STRING_free(host_in_octet_string) (size_t) ASN1_STRING_length (name->d.dNSName))) If (pattern_match ((char *)name_in_utf8, host) & * Compare and check for NULL attack in ASN1_STRING */ * does trust CA? Convert it into UTF-8 for sure. If (!ASN1_STRING_cmp (host_in_octet_string, * TODO: Should we convert between IPv4-mapped IPv6 Int numaltnames = sk_GENERAL_NAME_num (subjectAltNames) * Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)?ĪSN1_OCTET_STRING *host_in_octet_string = a2i_IPADDRESS (host) SubjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL) UTF-8 which can be meaningfully compared to HOST. Ensure that ASN1 strings from the certificate are encoded as
#Wget no check certificate code
One, not the first one, which the current code picks. When matching against common names, it should loop over allĬommon names and choose the most specific one, i.e. * Check that HOST matches the common name in the certificate. With the cert (important with -no-check-certificate.) */ * Fall through, so that the user is warned about *all* issues X509_verify_cert_error_string (vresult)) * For the less frequent error strings, simply provide the Logprintf (LOG_NOTQUIET, _(" Issued certificate has expired.\n")) Logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n")) _(" Self-signed certificate encountered.\n")) _(" Unable to locally verify the issuer's authority.\n")) Ĭase X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:Ĭase X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: * Try to print more user-friendly (and translated) messages forĬase X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: Severity, quotearg_n_style (0, escape_quoting_style, host), _("%s: cannot verify %s's certificate, issued by %s:\n"), Quotearg_n_style (1, escape_quoting_style, issuer))) Quotearg_n_style (0, escape_quoting_style, subject), Goto no_cert /* must bail out since CERT is NULL */Ĭhar *subject = _get_rfc2253_formatted (X509_get_subject_name (cert)) Ĭhar *issuer = _get_rfc2253_formatted (X509_get_issuer_name (cert)) ĭEBUGP (("certificate:\n subject: %s\n issuer: %s\n", Severity, quotearg_style (escape_quoting_style, host))
Logprintf (LOG_NOTQUIET, _("%s: No certificate presented by %s.\n"), * The user explicitly said to not check for the certificate. Struct openssl_transport_context *ctx = fd_transport_context (fd) */Ĭonst char *severity = opt.check_cert ? _("ERROR") : _("WARNING") Him about problems with the server's certificate. * If the user has specified -no-check-cert, we still want to warn Ssl_check_certificate (int fd, const char *host)
#Wget no check certificate update
I tried rename wget,wget-ssl to owget,owget-ssl in /usr/bin,and then create a sh script with content "owget -no-check-certificate ln xx.sh wget and wget-ssl,but doesn't work yet,opkg update show wget return 1,still failed,so I have to try another way.Ĥ.use wget -version I got this is wget-1.17.1.Quickly I got source code of this version from īut if you think I gonna modify the source code and recompile it,no,I'm too lazy to config cross compile enviroment since this is not a very well known linux distrbution and I may hang on configuration of cross compile enviroment for a long time.Simple use IDA to patch it :)ĥ.First I searched "-no-check-certificate" string and found the function we need should be in wget-1.17.1\src\openssl.c
Then I found that "To connect to insecurely",means there is another certificate check failed.
* To connect to insecurely, use `-no-check-certificate‘.ģ.First make sure you got right DNS configuration in /etc/nf
0 kommentar(er)
