Re: [Bug-wget] [FEATURE-REQUEST] Pinning SSL certificates / check SSL fingerprints

[Ángel González]

On 07/07/12 21:25, Daniel Kahn Gillmor wrote:
> On 07/07/2012 12:50 PM, Ángel González wrote:
>> On 06/07/12 01:01, address@hidden wrote:
>>> Because SSL CA's have failed many times (Comodo, DigiNotar, ...) I wish to 
>>> have an option to pin a SSL certificate. The fingerprint may be optionally 
>>> provided through a new option.
>> Have you tried using --ca-certificate option?
> I believe the OP wants to pin the certificate of the remote server (that
> is, the end entity certificate), whereas --ca-certificate pins the
> certificate of the issuing authority.
>
>       --dkg
Yes, but I expected that if the server certificate was in the
certificate bundle, it would be trusted, just as root certificates don't
need to sign themselves to be trusted. They are trusted for being in the
store. And not-present certificates to be failing validation.
However, it seems to be checking the system certificates regardless of
--ca-certificate pointing to the certificate used by the server or not.
Moreover, pointing --ca-directory to an empty folder doesn't seem to
make a difference, which looks plainly wrong.