[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile

From: Ander Juaristi
Subject: Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
Date: Thu, 3 Jan 2019 18:23:14 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1


The patch looks good to me. As Tim says, I would also pass NULL as the
second param in line 20.  If we provide --ca-directory what would happen
is that OpenSSL will pick up the most suitable certificate from the
directory based on the hash value of the name, and some other field I
don't remember. GnuTLS will consider all of them. In the end it's the
same behavior.

Tim, could you merge the patch?

On 29/12/18 17:54, Jeffrey Walton wrote:
> On Sat, Dec 29, 2018 at 11:43 AM Tim Rühsen <address@hidden> wrote:
>> On 29.12.18 05:00, Jeffrey Walton wrote:
>>> On Fri, Dec 28, 2018 at 10:07 PM Jeffrey Walton <address@hidden> wrote:
>>>> The sample wgetrc is missing info on ca_directory . Also see
>>>> https://www.gnu.org/software/wget/manual/html_node/Sample-Wgetrc.html.
>>>> I also cannot figure out how to tell Wget to use cacert.pem. I've
>>>> tried ca_cert, ca_certs and ca_certfile but it produces:
>>>>     wget: Unknown command ‘ca_file’ in /opt/bootstrap/etc/wgetrc at line 
>>>> 141
>>>>     Parsing system wgetrc file failed.
>>> My bad... I found it. openssl.c used "opt.ca_cert", so I was trying to
>>> use the same in rc file. The correct name is ca_certificate.
>> There are some inconsistencies with the naming in rc files and on the
>> command line. We do not have this any more with wget2.
>>> Tim, you may want this when Wget is built against OpenSSL. It makes
>>> Wget/OpenSSL behave like Wget/GnuTLS:
>>> https://github.com/noloader/Build-Scripts/blob/master/bootstrap/wget.patch
>> Thanks for the pointer.
>> On L20 the second param to SSL_CTX_load_verify_locations can be NULL.
>> I personally don't care much for OpenSSL - I put Ander on CC.
> Yeah, understood.
> The problem I'm facing is I need a working Wget quickly. Trying to
> build GnuTLS from sources is too heavy weight at this point in the
> process. I can do it later, but I need the lightweight version
> immediately.
> The patch tested OK on Linux back to Fedora 1 with GCC 3. I've still
> got AIX, OS X, Solaris and some other testing to do.
> Jeff

Attachment: pEpkey.asc
Description: application/pgp-keys

reply via email to

[Prev in Thread] Current Thread [Next in Thread]