Am Samstag, 3. August 2013, 00:14:38 schrieb Ángel González: > On 02/08/13 16:11, Tim Ruehsen wrote: > > Hi, > > > > I realized that gnutls.c loads every file it can find in the given > > ca_directory (default: /etc/ssl/certs). > > > > For me (on Debian SID) it means, every certificate is loaded 4 times ! > > > > Example Visa certificate: > > ~/src/wget/src$ l /etc/ssl/certs|grep Visa > > lrwxrwxrwx 1 root root 23 11-06-13 08:40:39 6fcc125d.0 -> > > Visa_eCommerce_Root.pem > > lrwxrwxrwx 1 root root 23 11-06-13 08:40:39 a760e1bd.0 -> > > Visa_eCommerce_Root.pem > > lrwxrwxrwx 1 root root 58 27-10-11 09:39:52 Visa_eCommerce_Root.pem -> > > /usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt > > I wonder why you have two different hashes for the same file. Maybe one > of them > comes from an old Visa_eCommerce_Root.crt ? > Those hashes are normally created by c_rehash(1)
Well, I don't know. But calling c_rehash creates two sums per file: root@debian:~# c_rehash /etc/ssl/certs/ Doing /etc/ssl/certs/ Camerfirma_Global_Chambersign_Root.pem => cb59f961.0 Camerfirma_Global_Chambersign_Root.pem => a0bc6fbb.0 Chambers_of_Commerce_Root_-_2008.pem => c47d9980.0 Chambers_of_Commerce_Root_-_2008.pem => 1eb37bdf.0 A-Trust-nQual-03.pem => 9c472bf7.0 A-Trust-nQual-03.pem => c3a6a9ad.0 ... > > That is 3 times plus loading of ca-certificates.crt kept in > > /etc/ssl/certs/, which seems to contain all certificates from > > /etc/ssl/certs. > > Almost. It contains all certificates activated in > /etc/ca-certificates.conf (all, by > default). See update-ca-certificates(8) Good to know, thank you. > > It would be easy to fix that, if backwards compatibility wasn't an issue: > > 1. If we just load *.pem files, we would miss *.crt files > > 2. If we just load *.crt files, we would miss *.pem files > > 3. If we load both *.pem and *.crt files, we also load aggregations like > > ca- certificates.crt (loading certs twice). > > We are obtaining the final inode in the stat(). We should keep a list of > loaded > inodes to avoid loading the same file several times. > Although that wouldn't fix the duplication with aggregations. Thats a good idea. I implement that next week, using Wget's hashtable stuff. At least for user-provided directories or if gnutls_certificate_set_x509_system_trust() is not available. > > My favorite would be to use > > > > gnutls_certificate_set_x509_system_trust() > > > > for the default case (opt.ca_certificate == NULL) instead of the > > hard-coded > > /etc/ssl/certs/. This function loads all certs from the 'system' certs > > directory just once. > > Looks good. > > > For a user-provided cert directory, we should keep the current behavior of > > loading every file in the directory. Anything else may break Wget > > compatibility. > > > > I already have made the changes, but would like to see comments and/or > > opinions. Thanks for your response. Tim
signature.asc
Description: This is a digitally signed message part.