On Sun, 24 Apr 2005, Hrvoje Niksic wrote:
> Doug Kaufman <[EMAIL PROTECTED]> writes:
> > I am certainly not an encryption specialist, but I would favor
> > different defaults for this. I would think that verifying the cert
> > for a "secure" site should be the default, or wget may be giving a
> > false sense of security when it retrieves the files. I would also
> > favor using the openssl defaults, allowing them to be overridden by
> > wget command-line options. This would probably mean making changes
> > in gen_sslfunc.c to call "SSL_CTX_set_default_paths" just before
> > calling "SSL_CTX_load_verify_locations", getting rid of
> > "can_verify", and setting "verify" to "SSL_VERIFY_PEER" unless
> > "sslcheckcert" is set to 0 (or equivalent renamed option is used).
>
> That sounds like a good plan. I'll try to make such a change. If we
> do call SSL_CTX_set_default_paths, should we document SSL_CERT_* env
> variables as you originally suggested?
I think so. I did send a message to the openssl-dev list about this.
Let's wait to see what the openssl developers say.
> Since you seem to be knowledgable about SSL implementation(s), what do
> you think about GNU TLS? Is its development active? How hard would
> it be to use it in Wget?
I have never really followed GNU TLS. My impression was that it was a
less mature implementation. For routine use, I would use either. When
security was important, I would tend to favor the implementation which
had been tested more thoroughly, which I believe is Openssl. Openssl
can be FIPS certified; I don't know about GNU TLS. I think that there
are two separate questions. One is whether the encryption code can be
easily integrated with the application. The other is how secure the
implementation of the encryption library is. I don't know the answer to
either.
Doug
--
Doug Kaufman
Internet: [EMAIL PROTECTED]
