[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Force use of no default certificates
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] Force use of no default certificates |
Date: |
Mon, 04 May 2015 16:46:16 +0200 |
User-agent: |
KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) |
> Someone with an OpenSSL version of Wget has to give it a try...
I just gave it a try... as I thought, openssl and gnutls code work
differently. The relevant OpenSSL docs are IMHO very unprecise.
This code does it for me (and survives the test suite), but I have the
feeling, this is not the complete solution (one has to dig up the OpenSSL code
to be 100% sure).
if (opt.ca_cert || opt.ca_directory)
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
else
SSL_CTX_set_default_verify_paths (ssl_ctx);
Regards, Tim
On Monday 04 May 2015 16:08:23 Tim Ruehsen wrote:
> On Monday 04 May 2015 11:28:01 John Edwards wrote:
> > Hi all,
> >
> > we're having trouble forcing wget to reject https servers that do not
> > present themselves with valid certificate in the context of custom CA. It
> > seems that wget has some default set of trusted certificates (that is
> > verisign, blah blah) that can't be disabled.
> >
> > For example, I want this to fail
> > wget -O- --ca-certificate=myservercert.pem https://www.google.com
> >
> > assuming myservercert.pem has nothing to do with Google's certificate or
> > its trust chain, but it does not fail. With curl, I'm having no trouble.
> >
> > According to replies at
> > http://unix.stackexchange.com/questions/199372/wget-force-no-default-certi
> > fi cates this seems to be a bug (or configuration error?) on some wget
> > versions, but not others.
> >
> > Any thoughts?
>
> Hi John,
>
> having a look at src/gnutls.c:
>
> All certs from the system cert directory are loaded - your ca-cert will be
> loaded additionally.
>
> If you don't want any system certs, you have to specify an empty --ca-
> directory.
>
> If your version of Wget is linked with openssl it might behave differently
> (I didn't test it, but if it behaves like I guess, it is a bug).
>
> ...
> SSL_CTX_set_default_verify_paths (ssl_ctx);
> SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
> ...
>
> The two lines above are executed unconditionally.
> SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert file and
> path. AFAIK it internally calls SSL_CTX_load_verify_locations().
> I am not sure if a seconds call to SSL_CTX_load_verify_locations adds up or
> overwrites former settings.
> Someone with an OpenSSL version of Wget has to give it a try...
>
> Regards, Tim
signature.asc
Description: This is a digitally signed message part.