[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] GnuTLS certificate loading

From: Ángel González
Subject: Re: [Bug-wget] GnuTLS certificate loading
Date: Sat, 03 Aug 2013 00:14:38 +0200
User-agent: Thunderbird

On 02/08/13 16:11, Tim Ruehsen wrote:

I realized that gnutls.c loads every file it can find in the given
ca_directory (default: /etc/ssl/certs).

For me (on Debian SID) it means, every certificate is loaded 4 times !

Example Visa certificate:
~/src/wget/src$ l /etc/ssl/certs|grep Visa
lrwxrwxrwx 1 root root     23 11-06-13 08:40:39 6fcc125d.0 ->
lrwxrwxrwx 1 root root     23 11-06-13 08:40:39 a760e1bd.0 ->
lrwxrwxrwx 1 root root     58 27-10-11 09:39:52 Visa_eCommerce_Root.pem ->
I wonder why you have two different hashes for the same file. Maybe one of them
comes from an old Visa_eCommerce_Root.crt ?
Those hashes are normally created by c_rehash(1)

That is 3 times plus loading of ca-certificates.crt kept in /etc/ssl/certs/,
which seems to contain all certificates from /etc/ssl/certs.
Almost. It contains all certificates activated in /etc/ca-certificates.conf (all, by
default). See update-ca-certificates(8)

It would be easy to fix that, if backwards compatibility wasn't an issue:
1. If we just load *.pem files, we would miss *.crt files
2. If we just load *.crt files, we would miss *.pem files
3. If we load both *.pem and *.crt files, we also load aggregations like ca-
certificates.crt (loading certs twice).
We are obtaining the final inode in the stat(). We should keep a list of loaded
inodes to avoid loading the same file several times.
Although that wouldn't fix the duplication with aggregations.

My favorite would be to use
for the default case (opt.ca_certificate == NULL) instead of the hard-coded
/etc/ssl/certs/. This function loads all certs from the 'system' certs
directory just once.
Looks good.

For a user-provided cert directory, we should keep the current behavior of
loading every file in the directory. Anything else may break Wget

I already have made the changes, but would like to see comments and/or

Regards, Tim

reply via email to

[Prev in Thread] Current Thread [Next in Thread]