On 1/3/19 6:39 PM, Jeffrey Walton wrote: > On Thu, Jan 3, 2019 at 12:23 PM Ander Juaristi <[email protected]> wrote: >> >> The patch looks good to me. As Tim says, I would also pass NULL as the >> second param in line 20. If we provide --ca-directory what would happen >> is that OpenSSL will pick up the most suitable certificate from the >> directory based on the hash value of the name, and some other field I >> don't remember. GnuTLS will consider all of them. In the end it's the >> same behavior. >> >> Tim, could you merge the patch? > > Feel free to knob turn on it. I'm fine with merciless editing. > > The three use cases I was trying to capture is: > > (1) wget ... # no CA's specified; use defaults from wgetrc > > (2) wget --ca-file=... # Use only this CA or collection of CAs > > (3) wget --ca_directory=... # Use only this collection of CAs > > Cases (2) and (3) attempt to avoid unwanted additional CAs for those > who are trying to be strict about what they are willing to accept.
I just made up a first commit out of the 'partial trust chain' code. The second part (your points 1-3) would look like a bit different. For backwards compat we don't want to change wget's behavior when using --ca-file and/or --ca_directory (even not to fix a design flaw). But we could skip loading the default certs (via SSL_CTX_set_default_verify_paths()) when --ca-file=... *and* --ca_directory="" is given. Another (cleaner) option would be to add a new option --ca-skip-defaults. WDYT ? Regards, Tim
signature.asc
Description: OpenPGP digital signature
