[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org?
From: |
Jeffrey Walton |
Subject: |
Re: [Bug-wget] Wget cannot validate https://ftp.gnu.org? |
Date: |
Wed, 18 Oct 2017 19:58:30 -0400 |
On Mon, Oct 16, 2017 at 4:52 AM, Tim Rühsen <address@hidden> wrote:
> ...
>
> Caveat: wget has been build with GnuTLS (3.5.15). The OpenSSL (1.1.0f)
> code seems not to support --ca-directory !? It succeeds with both the
> above tests. While we only actively support GnuTLS, we accept OpenSSL
> code patches (if you like to provide one).
I believe this is most of the patch you need. You or Simon will still
need to touch it up. For example, I did not know how to handle a
failure in OpenSSL from X509_VERIFY_PARAM_new().
$ git diff > openssl.c.diff
$ cat openssl.c.diff
diff --git a/src/openssl.c b/src/openssl.c
index 0404d2d0..62d8b084 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -269,11 +269,36 @@ ssl_init (void)
* Since we want a good protection, we also use HIGH (that excludes
MD4 ciphers and some more)
*/
if (opt.secure_protocol == secure_protocol_pfs)
- SSL_CTX_set_cipher_list (ssl_ctx,
"HIGH:MEDIUM:!RC4:!SRP:!PSK:!RSA:address@hidden");
+ SSL_CTX_set_cipher_list (ssl_ctx, "HIGH:!aNULL:!kRSA:!RC4:!MD5:!SRP:!PSK");
SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
+ if (opt.ca_cert)
+ {
+ /* Set X509_V_FLAG_PARTIAL_CHAIN to allow the client to anchor trust in
+ * a non-self-signed certificate. This defies RFC 4158 (Path Building)
+ * which defines a trust anchor in terms of a self-signed certificate.
+ * However, it substantially reduces attack surface by prunning the tree
+ * of unneeded trust points. For example, the cross-certified
+ * Let's Encrypt X3 CA, which protects gnu.org, appears as an
+ * intermediate CA to clients, can be used as a trust anchor without
+ * the entire IdentTrust PKI.
+ */
+ X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+ if (!param)
+ {
+ /* TODO: How does Wget handle a malloc failure? */
+ }
+ else
+ {
+ /* Return value is the old options */
+ (void)X509_VERIFY_PARAM_set_flags(param,
X509_V_FLAG_PARTIAL_CHAIN);
+ SSL_CTX_set1_param(ssl_ctx, param);
+ X509_VERIFY_PARAM_free(param);
+ }
+ }
+
if (opt.crl_file)
{
X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx);
Jeff
openssl.c.diff
Description: Text document