Re: [Bug-wget] Force use of no default certificates

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Force use of no default certificates

From:	Tim Ruehsen
Subject:	Re: [Bug-wget] Force use of no default certificates
Date:	Mon, 04 May 2015 16:46:16 +0200
User-agent:	KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; )

> Someone with an OpenSSL version of Wget has to give it a try...

I just gave it a try... as I thought, openssl and gnutls code work 
differently. The relevant OpenSSL docs are IMHO very unprecise.

This code does it for me (and survives the test suite), but I have the 
feeling, this is not the complete solution (one has to dig up the OpenSSL code 
to be 100% sure).

  if (opt.ca_cert || opt.ca_directory)
    SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
  else
    SSL_CTX_set_default_verify_paths (ssl_ctx);

Regards, Tim

On Monday 04 May 2015 16:08:23 Tim Ruehsen wrote:
> On Monday 04 May 2015 11:28:01 John Edwards wrote:
> > Hi all,
> > 
> > we're having trouble forcing wget to reject https servers that do not
> > present themselves with valid certificate in the context of custom CA. It
> > seems that wget has some default set of trusted certificates (that is
> > verisign, blah blah) that can't be disabled.
> > 
> > For example, I want this to fail
> > wget -O- --ca-certificate=myservercert.pem https://www.google.com
> > 
> > assuming myservercert.pem has nothing to do with Google's certificate or
> > its trust chain, but it does not fail. With curl, I'm having no trouble.
> > 
> > According to replies at
> > http://unix.stackexchange.com/questions/199372/wget-force-no-default-certi
> > fi cates this seems to be a bug (or configuration error?) on some wget
> > versions, but not others.
> > 
> > Any thoughts?
> 
> Hi John,
> 
> having a look at src/gnutls.c:
> 
> All certs from the system cert directory are loaded - your ca-cert will be
> loaded additionally.
> 
> If you don't want any system certs, you have to specify an empty --ca-
> directory.
> 
> If your version of Wget is linked with openssl it might behave differently
> (I didn't test it, but if it behaves like I guess, it is a bug).
> 
> ...
>   SSL_CTX_set_default_verify_paths (ssl_ctx);
>   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
> ...
> 
> The two lines above are executed unconditionally.
> SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert file and
> path. AFAIK it internally calls SSL_CTX_load_verify_locations().
> I am not sure if a seconds call to SSL_CTX_load_verify_locations adds up or
> overwrites former settings.
> Someone with an OpenSSL version of Wget has to give it a try...
> 
> Regards, Tim

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] Force use of no default certificates, John Edwards, 2015/05/04
- Re: [Bug-wget] Force use of no default certificates, Tim Ruehsen, 2015/05/04
  - Re: [Bug-wget] Force use of no default certificates, Tim Ruehsen <=
    - Message not available
    - Message not available
    - Re: [Bug-wget] Force use of no default certificates, John Edwards, 2015/05/06

Prev by Date: Re: [Bug-wget] Force use of no default certificates
Next by Date: Re: [Bug-wget] bootstrap problem
Previous by thread: Re: [Bug-wget] Force use of no default certificates
Next by thread: Re: [Bug-wget] Force use of no default certificates
Index(es):
- Date
- Thread