bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?


From: Jeffrey Walton
Subject: Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?
Date: Wed, 18 Oct 2017 19:58:30 -0400

On Mon, Oct 16, 2017 at 4:52 AM, Tim Rühsen <address@hidden> wrote:
> ...
>
> Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
> code seems not to support --ca-directory !? It succeeds with both the
> above tests. While we only actively support GnuTLS, we accept OpenSSL
> code patches (if you like to provide one).

I believe this is most of the patch you need. You or Simon will still
need to touch it up. For example, I did not know how to handle a
failure in OpenSSL from X509_VERIFY_PARAM_new().

$ git diff > openssl.c.diff
$ cat openssl.c.diff
diff --git a/src/openssl.c b/src/openssl.c
index 0404d2d0..62d8b084 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -269,11 +269,36 @@ ssl_init (void)
    * Since we want a good protection, we also use HIGH (that excludes
MD4 ciphers and some more)
    */
   if (opt.secure_protocol == secure_protocol_pfs)
-    SSL_CTX_set_cipher_list (ssl_ctx,
"HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden");
+    SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:!aNULL:!kRSA:!RC4:!MD5:!SRP:!PSK");

   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);

+  if (opt.ca_cert)
+    {
+      /* Set X509_V_FLAG_PARTIAL_CHAIN to allow the client to anchor trust in
+       * a non-self-signed certificate. This defies RFC 4158 (Path Building)
+       * which defines a trust anchor in terms of a self-signed certificate.
+       * However, it substantially reduces attack surface by prunning the tree
+       * of unneeded trust points. For example, the cross-certified
+       * Let's Encrypt X3 CA, which protects gnu.org, appears as an
+       * intermediate CA to clients, can be used as a trust anchor without
+       * the entire IdentTrust PKI.
+       */
+      X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+      if (!param)
+           {
+          /* TODO: How does Wget handle a malloc failure? */
+           }
+         else
+           {
+             /* Return value is the old options */
+             (void)X509_VERIFY_PARAM_set_flags(param,
X509_V_FLAG_PARTIAL_CHAIN);
+             SSL_CTX_set1_param(ssl_ctx, param);
+             X509_VERIFY_PARAM_free(param);
+           }
+    }
+
   if (opt.crl_file)
     {
       X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx);


Jeff

Attachment: openssl.c.diff
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]