wget:它在哪里寻找证书? [英] wget: where does it look for certificates?

问题描述

我有一个HTTPS站点，该站点需要一个中间证书来验证服务器的SSL证书.

I have a HTTPS-site that needs an intermediate-certificate to verify the servers SSL-certificate.

如果我将中间证书放入/etc/ssl/certs中(并进行哈希链接)，那么

If I put the intermediate-cert into /etc/ssl/certs (and make the hash-link) then

openssl s_client -connect IP:PORT

将起作用.否则，我会收到验证错误.

will work. Otherwise I get a verification error.

wget在哪里寻找证书?只有在wget中显式设置--ca-directory时，我才能使它工作.

Where does wget look for certificates? I only can make it work if I explicitly set --ca-directory in wget.

因此，似乎openssl会查看/etc/ssl/certs，而wget不会.

So it seems openssl looks into /etc/ssl/certs and wget does not.

谢谢！

编辑

如果我用-d运行wget，那么我会看到它没有--ca目录 约150份证书.如果选择该选项，则超过300.因此，它必须是另一条路径，然后我认为openssl-default.

If I run wget with -d then I see without --ca-directory it loads about 150 certificates. With the option it is over 300. So it must be another path then openssl-default I think.

Debian 10上linux-gnu上的Wget 1.19.4

Wget 1.19.4 on linux-gnu on Debian 10

推荐答案

根据wget的联机帮助页:

没有此选项，Wget将在OpenSSL安装时选择的系统指定位置查找CA证书.

Without this option Wget looks for CA certificates at the system-specified locations, chosen at OpenSSL installation time.

那是哪里? 原来，那是复杂.这取决于您的系统等.

Where's that? Turns out, that's complicated. It depends on your system, etc.

找出wget实际作用的简单方法是

Simple ways to find out what wget actually does are

1. 读取其输出:

1. reading its output:

已加载的CA证书'/etc/ssl/certs/ca-certificates.crt'

Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'

使用strace:

strace wget https://your-url

在输出中，您可以读取wget打开，尝试打开的文件，等等.

In the output, you can read which files wget opened, tried to open, etc.

由于strace会产生大量输出，因此您可能希望将其限制为某些系统调用.看来wget使用openat来读取文件，所以:

Since strace produces quite a lot of output, you may want to limit it to certain syscalls. It looks like wget uses openat to read files, so:

strace -e openat wget https://your-url

包含交叉线:

openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_root.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/share/ca-certificates/trust-source/anchors/CAcert.org_class3.crt", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3

它查找的位置甚至更多，它们甚至可能与您的系统不同.

And there are even more locations it looks at, they might even be different for your system.

这篇关于wget:它在哪里寻找证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！