Re: [Bug-wget] Force use of no default certificates

[Tim Ruehsen]

On Monday 04 May 2015 11:28:01 John Edwards wrote:
> Hi all,
> 
> we're having trouble forcing wget to reject https servers that do not
> present themselves with valid certificate in the context of custom CA. It
> seems that wget has some default set of trusted certificates (that is
> verisign, blah blah) that can't be disabled.
> 
> For example, I want this to fail
> wget -O- --ca-certificate=myservercert.pem https://www.google.com
> 
> assuming myservercert.pem has nothing to do with Google's certificate or
> its trust chain, but it does not fail. With curl, I'm having no trouble.
> 
> According to replies at
> http://unix.stackexchange.com/questions/199372/wget-force-no-default-certifi
> cates this seems to be a bug (or configuration error?) on some wget
> versions, but not others.
> 
> Any thoughts?

Hi John,

having a look at src/gnutls.c:

All certs from the system cert directory are loaded - your ca-cert will be 
loaded additionally.

If you don't want any system certs, you have to specify an empty --ca-
directory.

If your version of Wget is linked with openssl it might behave differently (I 
didn't test it, but if it behaves like I guess, it is a bug).

...
  SSL_CTX_set_default_verify_paths (ssl_ctx);
  SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
...

The two lines above are executed unconditionally.
SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert file and 
path. AFAIK it internally calls SSL_CTX_load_verify_locations().
I am not sure if a seconds call to SSL_CTX_load_verify_locations adds up or 
overwrites former settings.
Someone with an OpenSSL version of Wget has to give it a try...

Regards, Tim

signature.asc
Description: This is a digitally signed message part.