Re: wget2 | Fedora 40 ships Wget2 as Wget (#661)

wget-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | Fedora 40 ships Wget2 as Wget (#661)

From:	Romain Geissler (@Romain-Geissler-1A)
Subject:	Re: wget2 \| Fedora 40 ships Wget2 as Wget (#661)
Date:	Mon, 13 May 2024 09:28:35 +0000



Romain Geissler commented: 
https://gitlab.com/gnuwget/wget2/-/issues/661#note_1902414414


Hi,

In our company when testing fedora 40 to get a snapshot of the future RHEL 10, 
we also hit some issues, which in our case broke our CI completely ;) 
Documenting it here if anyone from other organization hit similar issues.

 - First there is a privacy concern with OCSP being enabled by default. MY 
colleague @freedge1 opened a dedicated ticket here 
https://gitlab.com/gnuwget/wget2/-/issues/664 In short, now each time you open 
a TLS connection (actually this is cached, so more the first time you do), 
unless the server itself serves OCSP replies, then you will reach all 
certificate issuers in the certificate chain, via http to check if the used 
certificate is still valid. It's "new" as previous wget didn't do it, and 
actually all browser disabled this. At the very least, if privacy concern is 
not a problem for you, it implies updating your firewalling rules to "allow" 
this new traffic. In our case, we had this external traffic when contacting a 
private on-premise Artifactory server, so it was definitely unexpected to see 
external traffic for a wget download targetting internal servers.
 - Second, it seems again related to firewalling issues, for us the default 
usage of TCP fast open, combined with OCSP (ie reaching 
ocsp.userstrust.com/ocsp.comodoca.com) "failed". By "failed" I mean it was 
working for the first few connections, then any subsequent TCP connections are 
blocked in SYN_SENT status. Most likely (this is still under investigation on 
our side) we have some security/firewalling actor in our network which makes 
this flow broken for now. One possible workaround for this is to use 
`--no-tcp-fastopen` (which we fixed here as it was not working: 
https://github.com/rockdaboot/wget2/pull/316 and which was already backported 
in fedora 40, packages will be published soon). If we hit this, it's possible 
that other organization with a GSOC might hit similar firewalling issues.

Cheers,
Romain

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/661#note_1902414414
You're receiving this email because of your account on gitlab.com.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: wget2 | Fedora 40 ships Wget2 as Wget (#661), Konstantin Shalygin (@k0ste), 2024/05/11
- Re: wget2 | Fedora 40 ships Wget2 as Wget (#661), @rockdaboot, 2024/05/20
- Re: wget2 | Fedora 40 ships Wget2 as Wget (#661), Romain Geissler (@Romain-Geissler-1A) <=
- Re: wget2 | Fedora 40 ships Wget2 as Wget (#661), Zoran Stojsavljevic (@zoran.stojsavljevic), 2024/05/16
- Re: wget2 | Fedora 40 ships Wget2 as Wget (#661), @rockdaboot, 2024/05/18
- Re: wget2 | Fedora 40 ships Wget2 as Wget (#661), Romain Geissler (@Romain-Geissler-1A), 2024/05/18

Prev by Date: Re: wget2 | information leak with ocsp validation (#664)
Next by Date: wget2 | --timestamping with --output-document delete file data on second run (#665)
Previous by thread: Re: wget2 | Fedora 40 ships Wget2 as Wget (#661)
Next by thread: Re: wget2 | Fedora 40 ships Wget2 as Wget (#661)
Index(es):
- Date
- Thread