Re: GNU wget - SSL accepts bad certs, similiar to IE bug

Tue, 20 Aug 2002 14:33:32 -0700 

> If Openssl is broken, e.g. no certs installed, this will cause wget 
> not to work.

Do not know what version, but my version worked without installed certs.
Also bevore my Patch was not even any cert routine, only ssl "encapsulation"
I know it's not perfect but i worked on request on an alternative 
through gnutls.
On request because of the license problem. But not it seems no more 
interest in it.

By the way, i do not think it's an great idee to "hard code" an 
certification directory,
that not the user, but only the admin can manage an so the user have no 
real choice what
is valid.

Cu thomas

> Attached is a patch that correctly handles cert verification.  You may 
> want to add better error messages or a command line override.
>
> Alternately you can include your own cert chain file and set the 
> directory or paths, etc. but this is a quick fix and openssl should be 
> set up properly anyway.
>
> diff -Bbur wget-1.8.2/src/gen_sslfunc.c wget-1.8.2-fix/src/gen_sslfunc.c
> --- wget-1.8.2/src/gen_sslfunc.c    2002-05-17 23:14:48.000000000 -0400
> +++ wget-1.8.2-fix/src/gen_sslfunc.c    2002-08-18 22:05:34.000000000 
> -0400
> @@ -135,6 +135,7 @@
>    meth = SSLv23_client_method ();
>    *ctx = SSL_CTX_new (meth);
>    SSL_CTX_set_verify (*ctx, verify, verify_callback);
> +  SSL_CTX_set_default_verify_paths (*ctx);
>    if (*ctx == NULL) return SSLERRCTXCREATE;
>    if (opt.sslcertfile)
>      {
> @@ -154,6 +155,9 @@
>     Returns 0 if everything went right
>     Returns 1 if something went wrong ----- TODO: More exit codes
>  */
> +
> +static int goodcert;
> +
>  int
>  connect_ssl (SSL **con, SSL_CTX *ctx, int fd)
>  {
> @@ -161,6 +165,8 @@
>    SSL_set_fd (*con, fd);
>    SSL_set_connect_state (*con);
>    SSL_connect (*con);
> +  if( !goodcert )
> +    return 1;
>    if ((*con)->state != SSL_ST_OK)
>      return 1;
>    /*while((SSLerror=ERR_get_error())!=0)
> @@ -188,6 +194,7 @@
>  {
>    char *s, buf[256];
>    s = X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), 
> buf, 256);
> +  goodcert = ok;
>    if (ok == 0) {
>      switch (ctx->error) {
>      case X509_V_ERR_CERT_NOT_YET_VALID:

Attachment: msg04204/pgp00000.pgp
Description: PGP signature

Reply via email to