[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] GnuTLS certificate loading
|
From: |
Tim Ruehsen |
|
Subject: |
[Bug-wget] GnuTLS certificate loading |
|
Date: |
Fri, 02 Aug 2013 16:11:38 +0200 |
|
User-agent: |
KMail/4.10.5 (Linux/3.10-1-amd64; KDE/4.10.5; x86_64; ; ) |
Hi,
I realized that gnutls.c loads every file it can find in the given
ca_directory (default: /etc/ssl/certs).
For me (on Debian SID) it means, every certificate is loaded 4 times !
Example Visa certificate:
~/src/wget/src$ l /etc/ssl/certs|grep Visa
lrwxrwxrwx 1 root root 23 11-06-13 08:40:39 6fcc125d.0 ->
Visa_eCommerce_Root.pem
lrwxrwxrwx 1 root root 23 11-06-13 08:40:39 a760e1bd.0 ->
Visa_eCommerce_Root.pem
lrwxrwxrwx 1 root root 58 27-10-11 09:39:52 Visa_eCommerce_Root.pem ->
/usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt
That is 3 times plus loading of ca-certificates.crt kept in /etc/ssl/certs/,
which seems to contain all certificates from /etc/ssl/certs.
It would be easy to fix that, if backwards compatibility wasn't an issue:
1. If we just load *.pem files, we would miss *.crt files
2. If we just load *.crt files, we would miss *.pem files
3. If we load both *.pem and *.crt files, we also load aggregations like ca-
certificates.crt (loading certs twice).
My favorite would be to use
gnutls_certificate_set_x509_system_trust()
for the default case (opt.ca_certificate == NULL) instead of the hard-coded
/etc/ssl/certs/. This function loads all certs from the 'system' certs
directory just once.
For a user-provided cert directory, we should keep the current behavior of
loading every file in the directory. Anything else may break Wget
compatibility.
I already have made the changes, but would like to see comments and/or
opinions.
Regards, Tim
- [Bug-wget] GnuTLS certificate loading,
Tim Ruehsen <=