Re: [Bug-wget] GnuTLS certificate loading

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] GnuTLS certificate loading

From:	Tim Rühsen
Subject:	Re: [Bug-wget] GnuTLS certificate loading
Date:	Sat, 03 Aug 2013 17:15:41 +0200
User-agent:	KMail/4.10.5 (Linux/3.10-1-amd64; KDE/4.10.5; x86_64; ; )

Am Samstag, 3. August 2013, 00:14:38 schrieb Ángel González:
> On 02/08/13 16:11, Tim Ruehsen wrote:
> > Hi,
> > 
> > I realized that gnutls.c loads every file it can find in the given
> > ca_directory (default: /etc/ssl/certs).
> > 
> > For me (on Debian SID) it means, every certificate is loaded 4 times !
> > 
> > Example Visa certificate:
> > ~/src/wget/src$ l /etc/ssl/certs|grep Visa
> > lrwxrwxrwx 1 root root     23 11-06-13 08:40:39 6fcc125d.0 ->
> > Visa_eCommerce_Root.pem
> > lrwxrwxrwx 1 root root     23 11-06-13 08:40:39 a760e1bd.0 ->
> > Visa_eCommerce_Root.pem
> > lrwxrwxrwx 1 root root     58 27-10-11 09:39:52 Visa_eCommerce_Root.pem ->
> > /usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt
> 
> I wonder why you have two different hashes for the same file. Maybe one
> of them
> comes from an old Visa_eCommerce_Root.crt ?
> Those hashes are normally created by c_rehash(1)

Well, I don't know. But calling c_rehash creates two sums per file:

address@hidden:~# c_rehash /etc/ssl/certs/
Doing /etc/ssl/certs/
Camerfirma_Global_Chambersign_Root.pem => cb59f961.0
Camerfirma_Global_Chambersign_Root.pem => a0bc6fbb.0
Chambers_of_Commerce_Root_-_2008.pem => c47d9980.0
Chambers_of_Commerce_Root_-_2008.pem => 1eb37bdf.0
A-Trust-nQual-03.pem => 9c472bf7.0
A-Trust-nQual-03.pem => c3a6a9ad.0
...


> > That is 3 times plus loading of ca-certificates.crt kept in
> > /etc/ssl/certs/, which seems to contain all certificates from
> > /etc/ssl/certs.
> 
> Almost. It contains all certificates activated in
> /etc/ca-certificates.conf (all, by
> default). See update-ca-certificates(8)

Good to know, thank you.


> > It would be easy to fix that, if backwards compatibility wasn't an issue:
> > 1. If we just load *.pem files, we would miss *.crt files
> > 2. If we just load *.crt files, we would miss *.pem files
> > 3. If we load both *.pem and *.crt files, we also load aggregations like
> > ca- certificates.crt (loading certs twice).
> 
> We are obtaining the final inode in the stat(). We should keep a list of
> loaded
> inodes to avoid loading the same file several times.
> Although that wouldn't fix the duplication with aggregations.

Thats a good idea. I implement that next week, using Wget's hashtable stuff.
At least for user-provided directories or if 
gnutls_certificate_set_x509_system_trust() is not available.

> > My favorite would be to use
> > 
> >     gnutls_certificate_set_x509_system_trust()
> > 
> > for the default case (opt.ca_certificate == NULL) instead of the
> > hard-coded
> > /etc/ssl/certs/. This function loads all certs from the 'system' certs
> > directory just once.
> 
> Looks good.
> 
> > For a user-provided cert directory, we should keep the current behavior of
> > loading every file in the directory. Anything else may break Wget
> > compatibility.
> > 
> > I already have made the changes, but would like to see comments and/or
> > opinions.

Thanks for your response.

Tim

signature.asc
Description: This is a digitally signed message part.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] GnuTLS certificate loading, Tim Ruehsen, 2013/08/02
- Re: [Bug-wget] GnuTLS certificate loading, Ángel González, 2013/08/02
  - Re: [Bug-wget] GnuTLS certificate loading, Tim Rühsen <=

Prev by Date: Re: [Bug-wget] [PATCH] New option: --rename-output: modify output filename with perl
Next by Date: [Bug-wget] [PATCH] GnuTLS certificate loading
Previous by thread: Re: [Bug-wget] GnuTLS certificate loading
Next by thread: Re: [Bug-wget] wgetting from wayback ?
Index(es):
- Date
- Thread