[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile |
Date: |
Fri, 22 Feb 2019 13:06:19 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 |
On 1/3/19 6:39 PM, Jeffrey Walton wrote:
> On Thu, Jan 3, 2019 at 12:23 PM Ander Juaristi <address@hidden> wrote:
>>
>> The patch looks good to me. As Tim says, I would also pass NULL as the
>> second param in line 20. If we provide --ca-directory what would happen
>> is that OpenSSL will pick up the most suitable certificate from the
>> directory based on the hash value of the name, and some other field I
>> don't remember. GnuTLS will consider all of them. In the end it's the
>> same behavior.
>>
>> Tim, could you merge the patch?
>
> Feel free to knob turn on it. I'm fine with merciless editing.
>
> The three use cases I was trying to capture is:
>
> (1) wget ... # no CA's specified; use defaults from wgetrc
>
> (2) wget --ca-file=... # Use only this CA or collection of CAs
>
> (3) wget --ca_directory=... # Use only this collection of CAs
>
> Cases (2) and (3) attempt to avoid unwanted additional CAs for those
> who are trying to be strict about what they are willing to accept.
I just made up a first commit out of the 'partial trust chain' code.
The second part (your points 1-3) would look like a bit different.
For backwards compat we don't want to change wget's behavior when using
--ca-file and/or --ca_directory (even not to fix a design flaw).
But we could skip loading the default certs (via
SSL_CTX_set_default_verify_paths()) when --ca-file=... *and*
--ca_directory="" is given.
Another (cleaner) option would be to add a new option --ca-skip-defaults.
WDYT ?
Regards, Tim
signature.asc
Description: OpenPGP digital signature
- Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile,
Tim Rühsen <=