wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | information leak with ocsp validation (#664)

From: frigo (@freedge1)
Subject: Re: wget2 | information leak with ocsp validation (#664)
Date: Sat, 11 May 2024 19:48:48 +0000 


frigo commented: https://gitlab.com/gnuwget/wget2/-/issues/664#note_1901610438


> wget2 tries to validate the chain of certificates

this is not completely correct. It think the first certificate is skipped. I 
was initially testing with 

    openssl s_server -key  key -cert_chain cert.bundle.crt -cert cert.bundle.crt

and in that case the server certificate is present twice, and so wget will 
validate it. In normal circumstances (eg ```wget https://github.com```) the 
server certificate is not validated, only the intermediate certificates are 
validated, so the github.com certificate serial is not leaked (but also, not 
validated), only the intermediate certificates serial are leaked.

I think that if the server staples an ocsp response, the first intermediate 
certificate is not validated (if I read the code correctly. Something like the 
following would be needed to validate the full list)
```
diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
index 35f20279..5524c02c 100644
--- a/libwget/ssl_gnutls.c
+++ b/libwget/ssl_gnutls.c
@@ -1153,7 +1153,7 @@ static int verify_certificate_callback(gnutls_session_t 
session)
                cert_verify_hpkp(cert, hostname, session);

 #ifdef WITH_OCSP
-               if (config.ocsp && it > nvalid) {
+               if (config.ocsp && it >= nvalid) {
                        char fingerprint[64 * 2 +1];
                        int revoked;
```

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/664#note_1901610438
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]