> But as I said, I haven't seen any reference to the opt.check_cert > variable anywhere, not even around the call to tlssep_connect(), so > theoretically, your code is completely ignoring the --no-check-certificate > flag, causing a potential bug in which Wget will fail when a certificate > is invalid (or self-signed, as well?) even though the user has explicitly > told not to verify them.
Yes, this is true. The paper mentions this caveat, and the patch is certainly not yet ready for merging into mainstream. All of the code is currently of research prototype quality, but we hope to be able to make a stable release soon. OpenBSD's libtls library takes the approach of verifying certificates by default but allowing programmers to explicitly turn verification off. We presently take the more firm approach that only a configuration file change can affect if/how verification takes place. We could certainly add an API call to transition into "unsafe" mode, or we could allow the application to poll the setting and warn users that --no-check-certificate has no effect. Yet introducing these abilities would allow a compromised application to reconfigure itself; this might not be an additional capability on many systems, but with (something like) SELinux forcing applications to use libtlssep, this might allow the compromised application to make a connection in a way not otherwise permitted. I would be interested to hear other programmers' ideas. Thank you! -- Mike :wq
