bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Force use of no default certificates

From: John Edwards
Subject: Re: [Bug-wget] Force use of no default certificates
Date: Wed, 6 May 2015 12:41:59 +0200 
On Tue, May 5, 2015 at 9:06 PM, Tim Rühsen <address@hidden> wrote:

> So, please send your email to the mailing list. Of course there has to be
> some
> decision (we are talking about a bug). And your efford (even just
> asking/pinging the list) is highly appreciated !
>

Hi, sorry, guess I did not hit 'reply all' on this. So the original
question was - is this going to be fixed in future wget version, or is this
more of an OpenSSL problem and I should try to raise an issue with them?


> Also, tell us what you think about this issue. How would you like to see it
> being solved ? Your opinion will likely influence the final solution and I
> would like to see your name as contributor (even reporting is a kind of
> contribution).
>

At the very least it should be documented clearly that currently wget
always trusts some (rather large) set of servers. I also think that there
are situations where you have private CA and this default behavior is
counterproductive and may even be viewed as a gaping security issue. In
mutual SSL auth you want absolute control over who you trust, and placing
default trust in public CAs allows anyone with $50 to become trusted. So
either the default should be changed (and consistent over all distros) or
there should be options to force it either way.
I have no explicit need to be listed as contributor, but if you feel that's
the right thing to do, I leave that up to you.


>
> Am Dienstag, 5. Mai 2015, 17:18:52 schrieb John Edwards:
> > Thanks for looking into this... so what now? Is this going to be
> corrected
> > in next wget? Or is this an OpenSSL bug?
> >
> > On Mon, May 4, 2015 at 4:46 PM, Tim Ruehsen <address@hidden> wrote:
> > > > Someone with an OpenSSL version of Wget has to give it a try...
> > >
> > > I just gave it a try... as I thought, openssl and gnutls code work
> > > differently. The relevant OpenSSL docs are IMHO very unprecise.
> > >
> > > This code does it for me (and survives the test suite), but I have the
> > > feeling, this is not the complete solution (one has to dig up the
> OpenSSL
> > > code
> > > to be 100% sure).
> > >
> > >   if (opt.ca_cert || opt.ca_directory)
> > >
> > >     SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert,
> > >     opt.ca_directory);
> > >
> > >   else
> > >
> > >     SSL_CTX_set_default_verify_paths (ssl_ctx);
> > >
> > > Regards, Tim
> > >
> > > On Monday 04 May 2015 16:08:23 Tim Ruehsen wrote:
> > > > On Monday 04 May 2015 11:28:01 John Edwards wrote:
> > > > > Hi all,
> > > > >
> > > > > we're having trouble forcing wget to reject https servers that do
> not
> > > > > present themselves with valid certificate in the context of custom
> CA.
> > >
> > > It
> > >
> > > > > seems that wget has some default set of trusted certificates (that
> is
> > > > > verisign, blah blah) that can't be disabled.
> > > > >
> > > > > For example, I want this to fail
> > > > > wget -O- --ca-certificate=myservercert.pem https://www.google.com
> > > > >
> > > > > assuming myservercert.pem has nothing to do with Google's
> certificate
> > >
> > > or
> > >
> > > > > its trust chain, but it does not fail. With curl, I'm having no
> > >
> > > trouble.
> > >
> > > > > According to replies at
> > >
> > >
> http://unix.stackexchange.com/questions/199372/wget-force-no-default-certi
> > >
> > > > > fi cates this seems to be a bug (or configuration error?) on some
> wget
> > > > > versions, but not others.
> > > > >
> > > > > Any thoughts?
> > > >
> > > > Hi John,
> > > >
> > > > having a look at src/gnutls.c:
> > > >
> > > > All certs from the system cert directory are loaded - your ca-cert
> will
> > >
> > > be
> > >
> > > > loaded additionally.
> > > >
> > > > If you don't want any system certs, you have to specify an empty
> --ca-
> > > > directory.
> > > >
> > > > If your version of Wget is linked with openssl it might behave
> > >
> > > differently
> > >
> > > > (I didn't test it, but if it behaves like I guess, it is a bug).
> > > >
> > > > ...
> > > >
> > > >   SSL_CTX_set_default_verify_paths (ssl_ctx);
> > > >   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert,
> > > >   opt.ca_directory);
> > > >
> > > > ...
> > > >
> > > > The two lines above are executed unconditionally.
> > > > SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert
> file
> > >
> > > and
> > >
> > > > path. AFAIK it internally calls SSL_CTX_load_verify_locations().
> > > > I am not sure if a seconds call to SSL_CTX_load_verify_locations
> adds up
> > >
> > > or
> > >
> > > > overwrites former settings.
> > > > Someone with an OpenSSL version of Wget has to give it a try...
> > > >
> > > > Regards, Tim
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]