bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?

From: Jeffrey Walton
Subject: Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?
Date: Thu, 19 Oct 2017 02:46:04 -0400 
On Wed, Oct 18, 2017 at 7:58 PM, Jeffrey Walton <address@hidden> wrote:
> On Mon, Oct 16, 2017 at 4:52 AM, Tim Rühsen <address@hidden> wrote:
>> ...
>>
>> Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
>> code seems not to support --ca-directory !? It succeeds with both the
>> above tests. While we only actively support GnuTLS, we accept OpenSSL
>> code patches (if you like to provide one).
>
> I believe this is most of the patch you need. You or Simon will still
> need to touch it up. For example, I did not know how to handle a
> failure in OpenSSL from X509_VERIFY_PARAM_new().

Tim, hold-off on this at the moment. I want to talk to Matt Caswell
about it to ensure it meets requirements.

Mat is one of the OpenSSL devs. He is very helpful with his comments
and suggestions. In fact, he's the one who alerted me to
X509_V_FLAG_PARTIAL_CHAIN.

What I am wondering is... On a machine where both CAfile and CApath
are working as expected, are we only using CAfile; or are we using
CAPath and getting the CA Zoo if the directory is populated?

CAfile and CApath are names of s_client options that equate to the
parameters in calls like SSL_CTX_load_verify_locations. -CAfile is
actually equivalent to Wget's --ca-certificate. On some distros CApath
is broken so it appears OpenSSL does not trust anything by default.
But this is actually a bug in the utilities.

Jeff

Jeff
reply via email to
[Prev in Thread] Current Thread [Next in Thread]