Doug Kaufman <[EMAIL PROTECTED]> writes: > All this made me look once again at the code for default certificate > locations in the openssl code and in the wget code. I think I need > to withdraw my suggestion for documentation of SSL_CERT_FILE and > SSL_CERT_DIR in the wget documentation, since a careful look at > gen_sslfunc.c shows that we aren't using them.
Except that, as you note later, maybe we *should* be using them. > doesn't do that. As I understand from looking at the code in > gen_sslfunc.c, wget doesn't do any verification at all unless called > with the sslcheckcert option set to a non-null value. That's right. And it seems like a very lousy default. > I am certainly not an encryption specialist, but I would favor > different defaults for this. I would think that verifying the cert > for a "secure" site should be the default, or wget may be giving a > false sense of security when it retrieves the files. I would also > favor using the openssl defaults, allowing them to be overridden by > wget command-line options. This would probably mean making changes > in gen_sslfunc.c to call "SSL_CTX_set_default_paths" just before > calling "SSL_CTX_load_verify_locations", getting rid of > "can_verify", and setting "verify" to "SSL_VERIFY_PEER" unless > "sslcheckcert" is set to 0 (or equivalent renamed option is used). That sounds like a good plan. I'll try to make such a change. If we do call SSL_CTX_set_default_paths, should we document SSL_CERT_* env variables as you originally suggested? Since you seem to be knowledgable about SSL implementation(s), what do you think about GNU TLS? Is its development active? How hard would it be to use it in Wget?
