On 02/08/13 16:11, Tim Ruehsen wrote:
Hi,
I realized that gnutls.c loads every file it can find in the given
ca_directory (default: /etc/ssl/certs).
For me (on Debian SID) it means, every certificate is loaded 4 times !
Example Visa certificate:
~/src/wget/src$ l /etc/ssl/certs|grep Visa
lrwxrwxrwx 1 root root 23 11-06-13 08:40:39 6fcc125d.0 ->
Visa_eCommerce_Root.pem
lrwxrwxrwx 1 root root 23 11-06-13 08:40:39 a760e1bd.0 ->
Visa_eCommerce_Root.pem
lrwxrwxrwx 1 root root 58 27-10-11 09:39:52 Visa_eCommerce_Root.pem ->
/usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt
I wonder why you have two different hashes for the same file. Maybe one
of them
comes from an old Visa_eCommerce_Root.crt ?
Those hashes are normally created by c_rehash(1)
That is 3 times plus loading of ca-certificates.crt kept in /etc/ssl/certs/,
which seems to contain all certificates from /etc/ssl/certs.
Almost. It contains all certificates activated in
/etc/ca-certificates.conf (all, by
default). See update-ca-certificates(8)
It would be easy to fix that, if backwards compatibility wasn't an issue:
1. If we just load *.pem files, we would miss *.crt files
2. If we just load *.crt files, we would miss *.pem files
3. If we load both *.pem and *.crt files, we also load aggregations like ca-
certificates.crt (loading certs twice).
We are obtaining the final inode in the stat(). We should keep a list of
loaded
inodes to avoid loading the same file several times.
Although that wouldn't fix the duplication with aggregations.
My favorite would be to use
gnutls_certificate_set_x509_system_trust()
for the default case (opt.ca_certificate == NULL) instead of the hard-coded
/etc/ssl/certs/. This function loads all certs from the 'system' certs
directory just once.
Looks good.
For a user-provided cert directory, we should keep the current behavior of
loading every file in the directory. Anything else may break Wget
compatibility.
I already have made the changes, but would like to see comments and/or
opinions.
Regards, Tim
