[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Force use of no default certificates
From: |
Tim Ruehsen |
Subject: |
Re: [Bug-wget] Force use of no default certificates |
Date: |
Mon, 04 May 2015 16:08:23 +0200 |
User-agent: |
KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; ) |
On Monday 04 May 2015 11:28:01 John Edwards wrote:
> Hi all,
>
> we're having trouble forcing wget to reject https servers that do not
> present themselves with valid certificate in the context of custom CA. It
> seems that wget has some default set of trusted certificates (that is
> verisign, blah blah) that can't be disabled.
>
> For example, I want this to fail
> wget -O- --ca-certificate=myservercert.pem https://www.google.com
>
> assuming myservercert.pem has nothing to do with Google's certificate or
> its trust chain, but it does not fail. With curl, I'm having no trouble.
>
> According to replies at
> http://unix.stackexchange.com/questions/199372/wget-force-no-default-certifi
> cates this seems to be a bug (or configuration error?) on some wget
> versions, but not others.
>
> Any thoughts?
Hi John,
having a look at src/gnutls.c:
All certs from the system cert directory are loaded - your ca-cert will be
loaded additionally.
If you don't want any system certs, you have to specify an empty --ca-
directory.
If your version of Wget is linked with openssl it might behave differently (I
didn't test it, but if it behaves like I guess, it is a bug).
...
SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
...
The two lines above are executed unconditionally.
SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert file and
path. AFAIK it internally calls SSL_CTX_load_verify_locations().
I am not sure if a seconds call to SSL_CTX_load_verify_locations adds up or
overwrites former settings.
Someone with an OpenSSL version of Wget has to give it a try...
Regards, Tim
signature.asc
Description: This is a digitally signed message part.