Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
On Fri, Feb 22, 2019 at 7:06 AM Tim Rühsen wrote: > > On 1/3/19 6:39 PM, Jeffrey Walton wrote: > > On Thu, Jan 3, 2019 at 12:23 PM Ander Juaristi wrote: > >> > >> The patch looks good to me. As Tim says, I would also pass NULL as the > >> second param in line 20. If we provide --ca-directory what would happen > >> is that OpenSSL will pick up the most suitable certificate from the > >> directory based on the hash value of the name, and some other field I > >> don't remember. GnuTLS will consider all of them. In the end it's the > >> same behavior. > >> > >> Tim, could you merge the patch? > > > > Feel free to knob turn on it. I'm fine with merciless editing. > > > > The three use cases I was trying to capture is: > > > > (1) wget ... # no CA's specified; use defaults from wgetrc > > > > (2) wget --ca-file=... # Use only this CA or collection of CAs > > > > (3) wget --ca_directory=... # Use only this collection of CAs > > > > Cases (2) and (3) attempt to avoid unwanted additional CAs for those > > who are trying to be strict about what they are willing to accept. > > I just made up a first commit out of the 'partial trust chain' code. > > The second part (your points 1-3) would look like a bit different. > > For backwards compat we don't want to change wget's behavior when using > --ca-file and/or --ca_directory (even not to fix a design flaw). > > But we could skip loading the default certs (via > SSL_CTX_set_default_verify_paths()) when --ca-file=... *and* > --ca_directory="" is given. > > Another (cleaner) option would be to add a new option --ca-skip-defaults. > > WDYT ? Looks good to me. I think it is important to maintain consistent behavior across backends, so the changes to the patch are important. --ca-skip-defaults may make sense. I often avoid the CA Zoo. I don't know how many others do the same. Jeff
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
On Thu, Jan 3, 2019 at 12:23 PM Ander Juaristi wrote: > > The patch looks good to me. As Tim says, I would also pass NULL as the > second param in line 20. If we provide --ca-directory what would happen > is that OpenSSL will pick up the most suitable certificate from the > directory based on the hash value of the name, and some other field I > don't remember. GnuTLS will consider all of them. In the end it's the > same behavior. > > Tim, could you merge the patch? Feel free to knob turn on it. I'm fine with merciless editing. The three use cases I was trying to capture is: (1) wget ... # no CA's specified; use defaults from wgetrc (2) wget --ca-file=... # Use only this CA or collection of CAs (3) wget --ca_directory=... # Use only this collection of CAs Cases (2) and (3) attempt to avoid unwanted additional CAs for those who are trying to be strict about what they are willing to accept. If I mis-parsed the Wget sources and what is happening, then my apologies. That's just ignorance on my part and I apologize for it. Jeff
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
Hi, The patch looks good to me. As Tim says, I would also pass NULL as the second param in line 20. If we provide --ca-directory what would happen is that OpenSSL will pick up the most suitable certificate from the directory based on the hash value of the name, and some other field I don't remember. GnuTLS will consider all of them. In the end it's the same behavior. Tim, could you merge the patch? On 29/12/18 17:54, Jeffrey Walton wrote: > On Sat, Dec 29, 2018 at 11:43 AM Tim Rühsen wrote: >> >> On 29.12.18 05:00, Jeffrey Walton wrote: >>> On Fri, Dec 28, 2018 at 10:07 PM Jeffrey Walton wrote: The sample wgetrc is missing info on ca_directory . Also see https://www.gnu.org/software/wget/manual/html_node/Sample-Wgetrc.html. I also cannot figure out how to tell Wget to use cacert.pem. I've tried ca_cert, ca_certs and ca_certfile but it produces: wget: Unknown command ‘ca_file’ in /opt/bootstrap/etc/wgetrc at line 141 Parsing system wgetrc file failed. >>> >>> My bad... I found it. openssl.c used "opt.ca_cert", so I was trying to >>> use the same in rc file. The correct name is ca_certificate. >> >> There are some inconsistencies with the naming in rc files and on the >> command line. We do not have this any more with wget2. >> >>> Tim, you may want this when Wget is built against OpenSSL. It makes >>> Wget/OpenSSL behave like Wget/GnuTLS: >>> https://github.com/noloader/Build-Scripts/blob/master/bootstrap/wget.patch >> >> Thanks for the pointer. >> >> On L20 the second param to SSL_CTX_load_verify_locations can be NULL. >> >> I personally don't care much for OpenSSL - I put Ander on CC. > > Yeah, understood. > > The problem I'm facing is I need a working Wget quickly. Trying to > build GnuTLS from sources is too heavy weight at this point in the > process. I can do it later, but I need the lightweight version > immediately. > > The patch tested OK on Linux back to Fedora 1 with GCC 3. I've still > got AIX, OS X, Solaris and some other testing to do. > > Jeff > pEpkey.asc Description: application/pgp-keys
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
On 29.12.18 05:00, Jeffrey Walton wrote: > On Fri, Dec 28, 2018 at 10:07 PM Jeffrey Walton wrote: >> >> The sample wgetrc is missing info on ca_directory . Also see >> https://www.gnu.org/software/wget/manual/html_node/Sample-Wgetrc.html. >> >> I also cannot figure out how to tell Wget to use cacert.pem. I've >> tried ca_cert, ca_certs and ca_certfile but it produces: >> >> wget: Unknown command ‘ca_file’ in /opt/bootstrap/etc/wgetrc at line 141 >> Parsing system wgetrc file failed. > > My bad... I found it. openssl.c used "opt.ca_cert", so I was trying to > use the same in rc file. The correct name is ca_certificate. There are some inconsistencies with the naming in rc files and on the command line. We do not have this any more with wget2. > Tim, you may want this when Wget is built against OpenSSL. It makes > Wget/OpenSSL behave like Wget/GnuTLS: > https://github.com/noloader/Build-Scripts/blob/master/bootstrap/wget.patch Thanks for the pointer. On L20 the second param to SSL_CTX_load_verify_locations can be NULL. I personally don't care much for OpenSSL - I put Ander on CC. Regards, Tim signature.asc Description: OpenPGP digital signature
Re: [Bug-wget] Docs missing info on ca_directory and ca_certfile
On Fri, Dec 28, 2018 at 10:07 PM Jeffrey Walton wrote: > > The sample wgetrc is missing info on ca_directory . Also see > https://www.gnu.org/software/wget/manual/html_node/Sample-Wgetrc.html. > > I also cannot figure out how to tell Wget to use cacert.pem. I've > tried ca_cert, ca_certs and ca_certfile but it produces: > > wget: Unknown command ‘ca_file’ in /opt/bootstrap/etc/wgetrc at line 141 > Parsing system wgetrc file failed. My bad... I found it. openssl.c used "opt.ca_cert", so I was trying to use the same in rc file. The correct name is ca_certificate. Tim, you may want this when Wget is built against OpenSSL. It makes Wget/OpenSSL behave like Wget/GnuTLS: https://github.com/noloader/Build-Scripts/blob/master/bootstrap/wget.patch . Jeff