[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
From: |
Ander Juaristi |
Subject: |
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile |
Date: |
Thu, 3 Jan 2019 18:23:14 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 |
Hi,
The patch looks good to me. As Tim says, I would also pass NULL as the
second param in line 20. If we provide --ca-directory what would happen
is that OpenSSL will pick up the most suitable certificate from the
directory based on the hash value of the name, and some other field I
don't remember. GnuTLS will consider all of them. In the end it's the
same behavior.
Tim, could you merge the patch?
On 29/12/18 17:54, Jeffrey Walton wrote:
> On Sat, Dec 29, 2018 at 11:43 AM Tim Rühsen <address@hidden> wrote:
>>
>> On 29.12.18 05:00, Jeffrey Walton wrote:
>>> On Fri, Dec 28, 2018 at 10:07 PM Jeffrey Walton <address@hidden> wrote:
>>>>
>>>> The sample wgetrc is missing info on ca_directory . Also see
>>>> https://www.gnu.org/software/wget/manual/html_node/Sample-Wgetrc.html.
>>>>
>>>> I also cannot figure out how to tell Wget to use cacert.pem. I've
>>>> tried ca_cert, ca_certs and ca_certfile but it produces:
>>>>
>>>> wget: Unknown command ‘ca_file’ in /opt/bootstrap/etc/wgetrc at line
>>>> 141
>>>> Parsing system wgetrc file failed.
>>>
>>> My bad... I found it. openssl.c used "opt.ca_cert", so I was trying to
>>> use the same in rc file. The correct name is ca_certificate.
>>
>> There are some inconsistencies with the naming in rc files and on the
>> command line. We do not have this any more with wget2.
>>
>>> Tim, you may want this when Wget is built against OpenSSL. It makes
>>> Wget/OpenSSL behave like Wget/GnuTLS:
>>> https://github.com/noloader/Build-Scripts/blob/master/bootstrap/wget.patch
>>
>> Thanks for the pointer.
>>
>> On L20 the second param to SSL_CTX_load_verify_locations can be NULL.
>>
>> I personally don't care much for OpenSSL - I put Ander on CC.
>
> Yeah, understood.
>
> The problem I'm facing is I need a working Wget quickly. Trying to
> build GnuTLS from sources is too heavy weight at this point in the
> process. I can do it later, but I need the lightweight version
> immediately.
>
> The patch tested OK on Linux back to Fedora 1 with GCC 3. I've still
> got AIX, OS X, Solaris and some other testing to do.
>
> Jeff
>
pEpkey.asc
Description: application/pgp-keys
- Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile,
Ander Juaristi <=