On Fri, May 25, 2018 at 12:50 AM, Jakub Jirutka <[email protected]> wrote: > Internal TLS code (FEATURE_WGET_HTTPS) does not implement validation > of the server's certificate. It is documented in the code, but not > even mentioned in the --help message, so users typically don't know > about this behaviour. That's a crime against security! > > This patch changes this behaviour for the case when both > FEATURE_WGET_LONG_OPTIONS and FEATURE_WGET_HTTPS are enabled - any > attempt to open a TLS connection using internal TLS code (i.e. without > certificate validation) ends with error, unless the user specified > option "--no-check-certificate". >
Jakub, I wonder if you can revise your patch, so that it prints a warning that certificate check is skipped instead of error-ing and quitting. That way the patch might have a chance of getting accepted. _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
