[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | Fedora 40 ships Wget2 as Wget (#661)
From: |
Romain Geissler (@Romain-Geissler-1A) |
Subject: |
Re: wget2 | Fedora 40 ships Wget2 as Wget (#661) |
Date: |
Mon, 13 May 2024 09:28:35 +0000 |
Romain Geissler commented:
https://gitlab.com/gnuwget/wget2/-/issues/661#note_1902414414
Hi,
In our company when testing fedora 40 to get a snapshot of the future RHEL 10,
we also hit some issues, which in our case broke our CI completely ;)
Documenting it here if anyone from other organization hit similar issues.
- First there is a privacy concern with OCSP being enabled by default. MY
colleague @freedge1 opened a dedicated ticket here
https://gitlab.com/gnuwget/wget2/-/issues/664 In short, now each time you open
a TLS connection (actually this is cached, so more the first time you do),
unless the server itself serves OCSP replies, then you will reach all
certificate issuers in the certificate chain, via http to check if the used
certificate is still valid. It's "new" as previous wget didn't do it, and
actually all browser disabled this. At the very least, if privacy concern is
not a problem for you, it implies updating your firewalling rules to "allow"
this new traffic. In our case, we had this external traffic when contacting a
private on-premise Artifactory server, so it was definitely unexpected to see
external traffic for a wget download targetting internal servers.
- Second, it seems again related to firewalling issues, for us the default
usage of TCP fast open, combined with OCSP (ie reaching
ocsp.userstrust.com/ocsp.comodoca.com) "failed". By "failed" I mean it was
working for the first few connections, then any subsequent TCP connections are
blocked in SYN_SENT status. Most likely (this is still under investigation on
our side) we have some security/firewalling actor in our network which makes
this flow broken for now. One possible workaround for this is to use
`--no-tcp-fastopen` (which we fixed here as it was not working:
https://github.com/rockdaboot/wget2/pull/316 and which was already backported
in fedora 40, packages will be published soon). If we hit this, it's possible
that other organization with a GSOC might hit similar firewalling issues.
Cheers,
Romain
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/661#note_1902414414
You're receiving this email because of your account on gitlab.com.