On Tue, May 5, 2015 at 9:06 PM, Tim Rühsen <[email protected]> wrote:
> So, please send your email to the mailing list. Of course there has to be > some > decision (we are talking about a bug). And your efford (even just > asking/pinging the list) is highly appreciated ! > Hi, sorry, guess I did not hit 'reply all' on this. So the original question was - is this going to be fixed in future wget version, or is this more of an OpenSSL problem and I should try to raise an issue with them? > Also, tell us what you think about this issue. How would you like to see it > being solved ? Your opinion will likely influence the final solution and I > would like to see your name as contributor (even reporting is a kind of > contribution). > At the very least it should be documented clearly that currently wget always trusts some (rather large) set of servers. I also think that there are situations where you have private CA and this default behavior is counterproductive and may even be viewed as a gaping security issue. In mutual SSL auth you want absolute control over who you trust, and placing default trust in public CAs allows anyone with $50 to become trusted. So either the default should be changed (and consistent over all distros) or there should be options to force it either way. I have no explicit need to be listed as contributor, but if you feel that's the right thing to do, I leave that up to you. > > Am Dienstag, 5. Mai 2015, 17:18:52 schrieb John Edwards: > > Thanks for looking into this... so what now? Is this going to be > corrected > > in next wget? Or is this an OpenSSL bug? > > > > On Mon, May 4, 2015 at 4:46 PM, Tim Ruehsen <[email protected]> wrote: > > > > Someone with an OpenSSL version of Wget has to give it a try... > > > > > > I just gave it a try... as I thought, openssl and gnutls code work > > > differently. The relevant OpenSSL docs are IMHO very unprecise. > > > > > > This code does it for me (and survives the test suite), but I have the > > > feeling, this is not the complete solution (one has to dig up the > OpenSSL > > > code > > > to be 100% sure). > > > > > > if (opt.ca_cert || opt.ca_directory) > > > > > > SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, > > > opt.ca_directory); > > > > > > else > > > > > > SSL_CTX_set_default_verify_paths (ssl_ctx); > > > > > > Regards, Tim > > > > > > On Monday 04 May 2015 16:08:23 Tim Ruehsen wrote: > > > > On Monday 04 May 2015 11:28:01 John Edwards wrote: > > > > > Hi all, > > > > > > > > > > we're having trouble forcing wget to reject https servers that do > not > > > > > present themselves with valid certificate in the context of custom > CA. > > > > > > It > > > > > > > > seems that wget has some default set of trusted certificates (that > is > > > > > verisign, blah blah) that can't be disabled. > > > > > > > > > > For example, I want this to fail > > > > > wget -O- --ca-certificate=myservercert.pem https://www.google.com > > > > > > > > > > assuming myservercert.pem has nothing to do with Google's > certificate > > > > > > or > > > > > > > > its trust chain, but it does not fail. With curl, I'm having no > > > > > > trouble. > > > > > > > > According to replies at > > > > > > > http://unix.stackexchange.com/questions/199372/wget-force-no-default-certi > > > > > > > > fi cates this seems to be a bug (or configuration error?) on some > wget > > > > > versions, but not others. > > > > > > > > > > Any thoughts? > > > > > > > > Hi John, > > > > > > > > having a look at src/gnutls.c: > > > > > > > > All certs from the system cert directory are loaded - your ca-cert > will > > > > > > be > > > > > > > loaded additionally. > > > > > > > > If you don't want any system certs, you have to specify an empty > --ca- > > > > directory. > > > > > > > > If your version of Wget is linked with openssl it might behave > > > > > > differently > > > > > > > (I didn't test it, but if it behaves like I guess, it is a bug). > > > > > > > > ... > > > > > > > > SSL_CTX_set_default_verify_paths (ssl_ctx); > > > > SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, > > > > opt.ca_directory); > > > > > > > > ... > > > > > > > > The two lines above are executed unconditionally. > > > > SSL_CTX_set_default_verify_paths sets the OpenSSL compiled-in cert > file > > > > > > and > > > > > > > path. AFAIK it internally calls SSL_CTX_load_verify_locations(). > > > > I am not sure if a seconds call to SSL_CTX_load_verify_locations > adds up > > > > > > or > > > > > > > overwrites former settings. > > > > Someone with an OpenSSL version of Wget has to give it a try... > > > > > > > > Regards, Tim >
