On Sat, Jul 7, 2012 at 4:02 PM, <pro...@secure-mail.biz> wrote: > <noloa...@gmail.com> wrote: >> You pin a certificate by whitelisting expected server certificates >> (possibly thumbprints). > > [SNIP] > So my original question was how do I get wget to verify the torproject.org > fingerprint  without depending on root CA's? The only possible solution > I saw was downloading the torproject.org SSL public key, run a local CA, > sign the certificate and run wget with the --ca-certificate switch. That's why > I posted the question "Sign public key without having CSR or private key?". > > If there are any suggestions for this situation I am all ears. Come to think of it, you could use OpenSSL's s_client to do the pinning, and then use wget if everything is OK. Its does set up a small breeding ground for a TOCTOU (http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf), but I believe the risk is small.
Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List email@example.com Automated List Manager majord...@openssl.org