Hrvoje Niksic <[EMAIL PROTECTED]> writes: > Specifically I am interested in the correctness of the code that > loads the client certificates and checks for server certificates.
Here is the thing we definitely miss: Wget doesn't contain code that checks the host identity presented by the server's certificate against the host name input by the user. Given that OpenSSL is never given the perceived host name, I don't see how it can perform that check automatically. For example, the OpenSSL example at http://tinyurl.com/7qavu includes this: /* Check that the common name matches the host name*/ void check_cert(SSL *ssl, char *host) { X509 *peer; char peer_CN[256]; if(SSL_get_verify_result(ssl)!=X509_V_OK) berr_exit("Certificate doesn't verify"); /* Check the cert chain. The chain length is automatically checked by OpenSSL when we set the verify depth in the ctx */ /*Check the common name*/ peer=SSL_get_peer_certificate(ssl); X509_NAME_get_text_by_NID (X509_get_subject_name(peer), NID_commonName, peer_CN, 256); if(strcasecmp(peer_CN,host)) err_exit ("Common name doesn't match host name"); } curl contains much more elaborate code in ssluse.c:verifyhost(). Although I'm not sure Wget requires an exact replica of curl's logic, *some* check seems necessary for, especially since we claim to verify the server's certificate by default.
