Tag Archives: openssl

Wget and https

GNU Wget is a popular file download program, being installed by default on many Linux distributions. Recent Mac OS versions don’t ship Wget, though – Apple ships cURL instead.

Fink provides a wget package that installs Wget. It includes SSL (https) support provided by Mac OS built-in OpenSSL.  There’s a problem with that, though: on Mac OS versions earlier than 10.6, Apple’s OpenSSL doesn’t use the trusted root certificates available on the system (the ones listed by Keychain.app), so it is not able to validate SSL certificates on its own. Note that OpenSSL itself (independently of being shipped with Mac OS) isn’t distributed with root certificates by default.

Because of this, on Mac OS versions earlier than 10.6 the command

wget https://fedorahosted.org

won’t work:

ERROR: cannot verify fedorahosted.org's certificate,
issued by `/C=US/O=Equifax/OU=Equifax Secure
Certificate Authority':
Unable to locally verify the issuer's authority.
To connect to fedorahosted.org insecurely, use
Unable to establish SSL connection.

There are a couple of options to circumvent this. As the error message says, it’s possible to use –no-check-certificate, which is insecure. Another option is –ca-certificate=file where file is a bundle of trusted certification authority certificates. Fink provides a package called ca-bundle that installs a convenient file containing a bundle of CA certificates commonly used by open source Web browsers. After running

fink install ca-bundle

you should be able to use /sw/etc/ssl/certs/ca-bundle.crt with Wget:

wget --ca-certificate=/sw/etc/ssl/certs/ca-bundle.crt \

Fortunately, you may specify that option in one of Wget’s startup files (e.g. $HOME/.wgetrc or /sw/etc/wgetrc) by adding the following line to your startup file of choice:

ca_certificate = /sw/etc/ssl/certs/ca-bundle.crt

And voilà!, you may use wget as usual:

wget https://fedorahosted.org

This is particularly useful if you’re using Wget as your DownloadMethod and Fink needs to download a source file from an https URL.