wget, self-signed certs and a custom HTTPS server

Question

For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, FireFox and Chrome happily load content as long as I add the CA to the trusted root CA's.

However, wget (even when using the --no-check-certificate flag) reports:

OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

If I run the OpenSSL client against my server using:

openssl s_client -connect dnvista:82 -debug

I get back: verify error:num=19:self signed certificate in certificate chain verify return:0 and then

5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:

Do wget and the OpenSSL client simply not work with self-signed certificates?

UPDATE:

For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:

EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);

Answer 1

I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.

To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.

Answer 2

You can also install trusted root CA certificates into OpenSSL in one of a number of ways:

• Put your CA certificate in /etc/pki/tls/certs or equivalent directory, then create a link based on the certificate hash. See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl for details.
• Append your CA certificate to /etc/pki/tls/certs/ca-bundle.crt, /etc/pki/tls/cert.pem, or equivalent CA bundle.