Re: [Bug-wget] libtlssep and wget

[W. Michael Petullo]

> But as I said, I haven't seen any reference to the opt.check_cert
> variable anywhere, not even around the call to tlssep_connect(), so
> theoretically, your code is completely ignoring the --no-check-certificate
> flag, causing a potential bug in which Wget will fail when a certificate
> is invalid (or self-signed, as well?)  even though the user has explicitly
> told not to verify them.

Yes, this is true. The paper mentions this caveat, and the patch is
certainly not yet ready for merging into mainstream. All of the code is
currently of research prototype quality, but we hope to be able to make
a stable release soon.

OpenBSD's libtls library takes the approach of verifying certificates
by default but allowing programmers to explicitly turn verification off.

We presently take the more firm approach that only a configuration file
change can affect if/how verification takes place. We could certainly
add an API call to transition into "unsafe" mode, or we could allow the
application to poll the setting and warn users that --no-check-certificate
has no effect. Yet introducing these abilities would allow a compromised
application to reconfigure itself; this might not be an additional
capability on many systems, but with (something like) SELinux forcing
applications to use libtlssep, this might allow the compromised
application to make a connection in a way not otherwise permitted.

I would be interested to hear other programmers' ideas.

Thank you!

-- 
Mike

:wq