[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile

From: Tim Rühsen
Subject: Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
Date: Fri, 22 Feb 2019 13:06:19 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1

On 1/3/19 6:39 PM, Jeffrey Walton wrote:
> On Thu, Jan 3, 2019 at 12:23 PM Ander Juaristi <address@hidden> wrote:
>> The patch looks good to me. As Tim says, I would also pass NULL as the
>> second param in line 20.  If we provide --ca-directory what would happen
>> is that OpenSSL will pick up the most suitable certificate from the
>> directory based on the hash value of the name, and some other field I
>> don't remember. GnuTLS will consider all of them. In the end it's the
>> same behavior.
>> Tim, could you merge the patch?
> Feel free to knob turn on it. I'm fine with merciless editing.
> The three use cases I was trying to capture is:
> (1) wget ...  # no CA's specified; use defaults from wgetrc
> (2) wget --ca-file=... # Use only this CA or collection of CAs
> (3) wget --ca_directory=...   # Use only this collection of CAs
> Cases (2) and (3) attempt to avoid unwanted additional CAs for those
> who are trying to be strict about what they are willing to accept.

I just made up a first commit out of the 'partial trust chain' code.

The second part (your points 1-3) would look like a bit different.

For backwards compat we don't want to change wget's behavior when using
--ca-file and/or --ca_directory (even not to fix a design flaw).

But we could skip loading the default certs (via
SSL_CTX_set_default_verify_paths()) when --ca-file=... *and*
--ca_directory="" is given.

Another (cleaner) option would be to add a new option --ca-skip-defaults.


Regards, Tim

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]