On Monday 04 May 2015 11:28:01 John Edwards wrote: > Hi all, > > we're having trouble forcing wget to reject https servers that do not > present themselves with valid certificate in the context of custom CA. It > seems that wget has some default set of trusted certificates (that is > verisign, blah blah) that can't be disabled. > > For example, I want this to fail > wget -O- --ca-certificate=myservercert.pem https://www.google.com > > assuming myservercert.pem has nothing to do with Google's certificate or > its trust chain, but it does not fail. With curl, I'm having no trouble. > > According to replies at > http://unix.stackexchange.com/questions/199372/wget-force-no-default-certifi > cates this seems to be a bug (or configuration error?) on some wget > versions, but not others. > > Any thoughts?
Hi John, having a look at src/gnutls.c: All certs from the system cert directory are loaded - your ca-cert will be loaded additionally. If you don't want any system certs, you have to specify an empty --ca- directory. If your version of Wget is linked with openssl it might behave differently (I didn't test it, but if it behaves like I guess, it is a bug). ... SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); ... The two lines above are executed unconditionally. SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert file and path. AFAIK it internally calls SSL_CTX_load_verify_locations(). I am not sure if a seconds call to SSL_CTX_load_verify_locations adds up or overwrites former settings. Someone with an OpenSSL version of Wget has to give it a try... Regards, Tim
signature.asc
Description: This is a digitally signed message part.
