On Thu, 12 May 2005, Hrvoje Niksic wrote:
> Doug Kaufman <[EMAIL PROTECTED]> writes:
>
> >> That sounds like a good plan. I'll try to make such a change. If
> >> we do call SSL_CTX_set_default_paths, should we document SSL_CERT_*
> >> env variables as you originally suggested?
> >
> > I think so. I did send a message to the openssl-dev list about this.
> > Let's wait to see what the openssl developers say.
>
> Any news on this?
Nothing yet, but it isn't unusual for it to take weeks to get a comment
or reply.
> A side-effect of this development is that wget-1.10-beta1 refuses to
> download from any SSL server if the certificate authorities aren't
> locally configured. Since OpenSSL doesn't come with a preinstalled CA
> certificate bundle and Wget doesn't come with a preinstalled bundle
> either, where is the user to get a bundle from?
This is the problem with having real security. It should be obtained
from a "trusted" source. I extracted my certificates from Microsoft'
Internet Explorer. Various packages have cert bundles distributed with
them, but the user doesn't have an easy way to know that they are
legitimate.
> The users will complain about this, and I'd like to know what to tell
> them other than "use --no-check-certificate".
I am not sure that there is an easy answer. The more secure the
certificates, the more trouble they are to obtain.
Doug
--
Doug Kaufman
Internet: [EMAIL PROTECTED]
