wget, self-signed certs and a custom HTTPS server

DougN picture DougN · Oct 29, 2009 · Viewed 46.4k times · Source

For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.

However, wget (even when using the --no-check-certificate flag) reports:

OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

If I run the OpenSSL client against my server using:

openssl s_client -connect dnvista:82 -debug

I get back: verify error:num=19:self signed certificate in certificate chain verify return:0 and then

5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:

Do wget and the OpenSSL client simply not work with self-signed certificates?

UPDATE:

For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:

EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);

Answer

Anders Lindahl picture Anders Lindahl · Oct 29, 2009

I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.

To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.