[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Windows cert store support
From: |
Eli Zaretskii |
Subject: |
Re: [Bug-wget] Windows cert store support |
Date: |
Fri, 11 Dec 2015 13:22:48 +0200 |
> Date: Thu, 10 Dec 2015 01:12:37 +0100
> From: Ángel González <address@hidden>
> Cc: bug-wget <address@hidden>
>
> On 09/12/15 03:06, Random Coder wrote:
> > I'm not sure if the wget maintainers would be interested, but I've
> > been carrying this patch around in my private builds of wget for a
> > while. It allows wget to load SSL certs from the default Windows cert
> > store.
> >
> > The patch itself is fairly straightforward, but as it changes the
> > default SSL behavior, and no care was taken to follow coding convents
> > when I wrote it, so it's probably not ready for inclusion in the
> > codebase. Still, if it's useful, feel free to use it for ideas.
> Wow, supporting the OS store would certainly be very cool.
>
> I would probably move it to windows.c and attempt to make it also work
> in gnutls, but in general it looks good.
Wget compiled with GnuTLS already supports this feature: it calls
gnutls_certificate_set_x509_system_trust when the GnuTLS library
supports that. gnutls_certificate_set_x509_system_trust does
internally what the proposed patch does.
So I think this code should indeed go only to openssl.c, as gnutls.c
already has its equivalent.
One other comment I have about the patch is that it's inconsistent
with what gnutls.c does:
if (!opt.ca_directory)
ncerts = gnutls_certificate_set_x509_system_trust (credentials);
/* If GnuTLS version is too old or CA loading failed, fallback to old
behaviour.
* Also use old behaviour if the CA directory is user-provided. */
if (ncerts <= 0)
{
IOW, condition the attempt to load the system certs on
opt.ca_directory, and fall back to the certs from files if that fails.
Thanks.