[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [FEATURE-REQUEST] Pinning SSL certificates / check SSL fi
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Bug-wget] [FEATURE-REQUEST] Pinning SSL certificates / check SSL fingerprints |
Date: |
Sat, 07 Jul 2012 14:54:25 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:10.0.4) Gecko/20120510 Icedove/10.0.4 |
On 07/07/2012 02:20 PM, Dagobert Michelsen wrote:
> I have a tiny comment from a downstream packager standpoint: It would be nice
> if the
> capath would be configurable during configure time instead of hardcoding it
> to /etc/ssl/certs as it is now - we e.g. use /etc/opt/csw/ssl/certs and need
> to perl-pi in the unpacked sources. Not a real problem, but also not the most
> elegant solution.
fwiw, I agree with this, and suspect that a patch wouldn't be hard to
come up with (and would be fairly non-controversial).
If you're building against GnuTLS, Look around line 88 of gnutls.c,
because i don't think GnuTLS embeds a default location for a trusted
root certificate store.
If you're building against OpenSSL, i think you might want to change
your OpenSSL configuration directly (at least on debian, libcrypto seems
to hardcode a default path to /usr/lib/ssl/certs, which is a symlink to
/etc/ssl/certs).
hth,
--dkg
signature.asc
Description: OpenPGP digital signature