On Fri, Feb 22, 2019 at 7:06 AM Tim Rühsen <[email protected]> wrote: > > On 1/3/19 6:39 PM, Jeffrey Walton wrote: > > On Thu, Jan 3, 2019 at 12:23 PM Ander Juaristi <[email protected]> wrote: > >> > >> The patch looks good to me. As Tim says, I would also pass NULL as the > >> second param in line 20. If we provide --ca-directory what would happen > >> is that OpenSSL will pick up the most suitable certificate from the > >> directory based on the hash value of the name, and some other field I > >> don't remember. GnuTLS will consider all of them. In the end it's the > >> same behavior. > >> > >> Tim, could you merge the patch? > > > > Feel free to knob turn on it. I'm fine with merciless editing. > > > > The three use cases I was trying to capture is: > > > > (1) wget ... # no CA's specified; use defaults from wgetrc > > > > (2) wget --ca-file=... # Use only this CA or collection of CAs > > > > (3) wget --ca_directory=... # Use only this collection of CAs > > > > Cases (2) and (3) attempt to avoid unwanted additional CAs for those > > who are trying to be strict about what they are willing to accept. > > I just made up a first commit out of the 'partial trust chain' code. > > The second part (your points 1-3) would look like a bit different. > > For backwards compat we don't want to change wget's behavior when using > --ca-file and/or --ca_directory (even not to fix a design flaw). > > But we could skip loading the default certs (via > SSL_CTX_set_default_verify_paths()) when --ca-file=... *and* > --ca_directory="" is given. > > Another (cleaner) option would be to add a new option --ca-skip-defaults. > > WDYT ?
Looks good to me. I think it is important to maintain consistent behavior across backends, so the changes to the patch are important. --ca-skip-defaults may make sense. I often avoid the CA Zoo. I don't know how many others do the same. Jeff
