Re: [Bug-wget] Windows cert store support

[Eli Zaretskii]

> Date: Thu, 10 Dec 2015 01:12:37 +0100
> From: Ángel González <address@hidden>
> Cc: bug-wget <address@hidden>
> 
> On 09/12/15 03:06, Random Coder wrote:
> > I'm not sure if the wget maintainers would be interested, but I've
> > been carrying this patch around in my private builds of wget for a
> > while.  It allows wget to load SSL certs from the default Windows cert
> > store.
> >
> > The patch itself is fairly straightforward, but as it changes the
> > default SSL behavior, and no care was taken to follow coding convents
> > when I wrote it, so it's probably not ready for inclusion in the
> > codebase.  Still, if it's useful, feel free to use it for ideas.
> Wow, supporting the OS store would certainly be very cool.
> 
> I would probably move it to windows.c and attempt to make it also work 
> in gnutls, but in general it looks good.

Wget compiled with GnuTLS already supports this feature: it calls
gnutls_certificate_set_x509_system_trust when the GnuTLS library
supports that.  gnutls_certificate_set_x509_system_trust does
internally what the proposed patch does.

So I think this code should indeed go only to openssl.c, as gnutls.c
already has its equivalent.

One other comment I have about the patch is that it's inconsistent
with what gnutls.c does:

  if (!opt.ca_directory)
    ncerts = gnutls_certificate_set_x509_system_trust (credentials);
  /* If GnuTLS version is too old or CA loading failed, fallback to old 
behaviour.
   * Also use old behaviour if the CA directory is user-provided.  */
  if (ncerts <= 0)
    {

IOW, condition the attempt to load the system certs on
opt.ca_directory, and fall back to the certs from files if that fails.

Thanks.