Re: [Bug-wget] wget/gnutls TOFU certificate authentication?

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] wget/gnutls TOFU certificate authentication?

From:	Giuseppe Scrivano
Subject:	Re: [Bug-wget] wget/gnutls TOFU certificate authentication?
Date:	Tue, 30 Sep 2014 22:22:30 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)

Daniel Kahn Gillmor <address@hidden> writes:

> On 09/30/2014 10:47 AM, Tim Ruehsen wrote:
>> 1. if e.g. --ssh-style-verification is given on the command line (or within 
>> wgetrc).
>> 
>> 2. --no-check-certificate is given AND the cert check (which we always 
>> perform) fails AND wget is in 'interactive mode' (isatty()==true).
>
> Of these two, i think i prefer 1 (the option could just be --tofu or
> something), where the TOFU behavior kicks in only if the certificate
> doesn't validate on the X.509 chain.

I think we can make it the default when --no-check-certificate is used,
and to keep the current behavior we can add an argument like
--no-check-certificate=force.

It shouldn't break existing scenarios, and when it does, it is better
people take a deeper look at it.

What do you think?

Cheers,
Giuseppe

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] wget/gnutls TOFU certificate authentication?, Daniel Kahn Gillmor, 2014/09/30
- Re: [Bug-wget] wget/gnutls TOFU certificate authentication?, Giuseppe Scrivano, 2014/09/30
  - Re: [Bug-wget] wget/gnutls TOFU certificate authentication?, Tim Ruehsen, 2014/09/30
    - Re: [Bug-wget] wget/gnutls TOFU certificate authentication?, Daniel Kahn Gillmor, 2014/09/30
    - Re: [Bug-wget] wget/gnutls TOFU certificate authentication?, Giuseppe Scrivano <=

Prev by Date: Re: [Bug-wget] wget/gnutls TOFU certificate authentication?
Previous by thread: Re: [Bug-wget] wget/gnutls TOFU certificate authentication?
Next by thread: [Bug-wget] [PATCH] Fixing a memleak
Index(es):
- Date
- Thread